I have a sourcetype that has a non-descriptive host and a source defined (both appear to have been overwritten by stanzas in inputs.conf).
Was wondering how I could track this back to the originating system so I can change the configuration. Right now I have no idea where the events are coming from. They are definitely coming from a universal or heavy forwarder.
Thanks
I would recommend including the sourcetype in your question. For example, if Splunk is monitoring a syslog feed, it will override the forwarder host name with the host name written in the log records.
If you are using deployment server, you should be able to find rules for monitoring your sourcetype under an app in SPLUNK_HOME/etc/deployment-apps on your deployment server. Then use the application name found under deployment-apps and reference against serverclass.conf to see where your monitoring rules are targeted to.