Splunk Enterprise Security

Splunk Stream: how to keep original host IP/name

Explorer

I have a distributed setup of Splunk ES, with separate SH, indexers and forwarder. I set some flows (sFlow, Netflow to forwarder). However, forwarder's IP is set in a "host" field of all logs. How can I keep the original device address (i.e. an address of a router that is sending those flows).

Labels (1)
Tags (1)
0 Karma