Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Cloud: How to track sources on Splunk Cloud searchead coming from different intermediate forwarder?

singhdb
New Member
‎04-30-2023 11:57 PM

Platform: Splunk Cloud

Problem statement illustration:

we have 4 intermediate forwarders, and more than 2500 universal forwarders are routing data to these four IFWs.

 

UF (700)----> IFW1------>Splunk cloud

UF (600)----> IFW2------>Splunk cloud

UF (700)----> IFW3------>Splunk cloud

UF (500)----> IFW4------>Splunk cloud

What is needed: How a splunk admin/power user can create a dashboard or fetch information from searchead that which are all sources being routed to splunk cloud through each IFW

query should list the universal forwarder hostname and respective ifw from where it getting routed to splunk cloud

Any lead on this

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-01-2023 06:58 AM

By default, intermediate forwarders (IFs) are invisible.  There is nothing that says which IF an event passed through (or even *if* an IF was involved at all).

To work around that, you will have to add configs to your IFs to have them add a field to every event.  That field would identify which IF processed the event.  One way to do it is to add _meta = forwarder::foo to the IF's inputs.conf file.  This line assigns the value "foo" to the field "forwarder".  You can change "forwarder" to any field you wish.  Of course, you must change "foo" to the actual name of the forwarder.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...