Getting Data In

How can I locate the actual source of events?

zindain24
Path Finder

I have a sourcetype that has a non-descriptive host and a source defined (both appear to have been overwritten by stanzas in inputs.conf).

Was wondering how I could track this back to the originating system so I can change the configuration. Right now I have no idea where the events are coming from. They are definitely coming from a universal or heavy forwarder.

Thanks

0 Karma

bandit
Motivator

I would recommend including the sourcetype in your question. For example, if Splunk is monitoring a syslog feed, it will override the forwarder host name with the host name written in the log records.

If you are using deployment server, you should be able to find rules for monitoring your sourcetype under an app in SPLUNK_HOME/etc/deployment-apps on your deployment server. Then use the application name found under deployment-apps and reference against serverclass.conf to see where your monitoring rules are targeted to.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...