Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Sourcetype by Forwarder GUID

mwdbhyat
Builder
‎11-05-2020 08:25 AM

Hi there,

I have 2 forwarders on a single box - one HF one UF. I want to switch off the UF. Im looking for a list of sourcetypes that the UF is sending. Does anyone have a search that can tell me what sourcetypes are actively sending data to Splunk via the UF's GUID ?

Thanks! 

Labels (3)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-05-2020 08:53 AM
Have both forwarders the sane server name on server.conf?
If yes is it option to use different?
0 Karma
Reply

mwdbhyat
Builder
‎11-05-2020 08:56 AM

They both use the same - right now no option to change. I know i can use btool and list monitor to get a list of inputs.. but was hoping there was a way of generating a more "active" result from search. 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-05-2020 08:59 AM
You could get some info from metrics.log on those nodes. It tells 10 top source, sourcetypes etc. at time. Just switch those to the HF and wait some time to look next round. Probably you could found same information from indexer side also with GUID, but probably it’s easier to check with Greg etc from command line.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...