Is there any way to find out the HF which was in u...

AShwin1119 · ‎02-08-2023

We got an issue where earlier someone created input on the HF and done the data onboarding but now data stopped coming to the Splunk. but we are unable to find out which HF was used earlier to create the Input.

is there any way to find out the HF which was in use to send the data to the Splunk SH.

shivanshu1593 · ‎02-08-2023

What does the following search tell you when you run it for the log source under question? The host value should give you the name of the HF.

index=<your_index> sourcetype="your_sourcetype"
| dedup host
| table host

If this doesn't give you the desired result, then try the following (Ignore the name of the indexers in the search and focus on the others. You'll find the name of the HF):

index=_internal "sourcetype_name"
| dedup host
| table host

++If this helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

Is there any way to find out the HF which was in use to send the data to the Splunk SH?

configuration

splunk-assist

troubleshooting

using Splunk Enterprise

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI

Join the Conversation