Getting Data In

Is there any way to find all the Splunk instances that has processed the event

VatsalJagani
SplunkTrust
SplunkTrust

Please checkout the idea here (because I don't think currently it's possible with Splunk unless someone has some workaround or solution that I don't know) - https://ideas.splunk.com/ideas/EID-I-1417

 

(Coping the same content here, recommend upvoting the idea if you think this is currently not possible with Splunk today.)

Does anyone know if it is possible to add metadata field(s) to identify all the Splunk instances that have processed a particular event?

Let me explain, for example, I'm collecting WinEventLog from instance1 using UF, which is forwarding the logs to an instance2 which is intermediate UF, that is forwarding to intermediate HF (instance3), which is forwarding the data to Indexer (idx1).

instance1 (UF) -> instance2 (I UF) -> instance3 (I HF) -> idx1 (Indexer)

I want to see if there is a way to get a meta field (indexed time field) that tells the full sequence of where a particular event has traveled through (only Splunk instances of course).

This would be useful in complex environment troubleshooting. Even having this as part of debugging we can enable some parameters that can enable this functionality.

I don't think currently it's possible unless someone has some workaround or solution.
Labels (4)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

No. Unless you do some kind of metadata manipulation (which still is restricted to limited points in your infrastructure, especially in multi-layered architecture), you have no knowledge regarding intermediate steps in event's path. This is probably one of the reason for alternative syslog-receiving solutions (like sc4s or some custom rsyslog-based solutions), because by default you get no additional metadata short of a general "source" field telling usually some kind of "tcp:514" or something equally useless.

Normally with an event you only get the "standard" fields - source, host, sourcetype and that's it.

 

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...