Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to identify data from different sites

justinrichter
Engager
‎01-15-2026 11:05 AM

Given multiple locations with Splunk heavies or edge processors, is there a way at the heavy or edge processor to add a tag or some other relevant piece of identifying information that would identify the site that data came from? I would like to send data from various locations to a single set of indexers and be able to identify where that came from without having to use something like the assets lookup to figure it out.

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎01-15-2026 12:03 PM

Hi @justinrichter 

The easiest way to achieve this is to set an index-time field on each host that applies to all sourcetypes, such as:

# props.conf
[default]
TRANSFORMS-setSourceMeta = setSourceMeta
or
RULESET-setSourceMeta = setSourceMeta

# transforms
[setSourceMeta]
#Update field/value name accordingly.
INGEST_EVAL = travelledVia=ThisHostName

 

With Edge Processor you can apply a similar approach by using eval to set an index-time field which will be stored for each event.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎01-15-2026 12:03 PM

Hi @justinrichter 

The easiest way to achieve this is to set an index-time field on each host that applies to all sourcetypes, such as:

# props.conf
[default]
TRANSFORMS-setSourceMeta = setSourceMeta
or
RULESET-setSourceMeta = setSourceMeta

# transforms
[setSourceMeta]
#Update field/value name accordingly.
INGEST_EVAL = travelledVia=ThisHostName

 

With Edge Processor you can apply a similar approach by using eval to set an index-time field which will be stored for each event.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-16-2026 07:15 AM

1. Use ruleset instead of transform. Transform won't fire on already parsed data (coming from HF, SH, DS...)

2. If you're using INGEST_EVAL you can use splunk_server value - you don't have to explicitly set the value.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-15-2026 12:01 PM

Splunk has a host field that identifies the sending server, but there is nothing built-in that identifies the source location (site, IP, etc).  You would need to add fields to include that information.  Use INGEST_EVAL in transforms.conf to do that.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...