Is there a way to find which forwarder a devices event logs came from.
I have hundreds of devices sending WEC logs through WEC servers, I could really do with an easy method to pinpoint where they came from during search time.
Something like
Index=wec_index
| ctable hosts, WECSvr
Hello,
You could use the below search and also you can track it in cloud monitoring console.
index=_internal sourcetype=splunkd group=tcpin_connections | stats first(version) by hostname
Thanks
Thanks Roy99 - worked perfectly - easy when you know how.
Hello,
You could use the below search and also you can track it in cloud monitoring console.
index=_internal sourcetype=splunkd group=tcpin_connections | stats first(version) by hostname
Thanks