Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

determining where an event originated

a212830
Champion
‎09-14-2012 06:59 AM

Hi,

I have some syslog messages that I want to turn off from my sandbox. They are coming in from 3 potential servers. I removed the logfile form the inputs.conf, and bounced the forwarders, but they are still coming in. Since the host on these messages point to the originating device (not the forwarder host), how can I determine where they are coming from? I stopped each of the forwarders, and I still see them coming in.

0 Karma
Reply

MHibbin
Influencer
‎09-14-2012 08:02 AM

In addition to @dskillman's response... You can use "btool" to quickly list all the "inputs.conf" files in your instance (as you could have many apps).

Docs are http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurati...

An example of the command would be (from you $SPLUNK_HOME/bin directory):

./splunk cmd btool inputs list

If your forwarders are "turned off" I would recommend looking for local "file monitors" (i.e. on the system you're on) and UDP/TCP ports as inputs.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-14-2012 08:16 AM

What are the host/sourcetype/source/index associated with the events ?

If this is syslog, or if the host is extracted from the event, maybe, you may have a port open accepting data ( check tcp or udp inputs)

0 Karma
Reply

dskillman
Splunk Employee
Splunk Employee
‎09-14-2012 07:55 AM

Sounds like you have some local inputs on your indexer. What does your inputs.conf look like on your indexer?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...