Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I identify which heavy forwarder or universal forwarder are sending logs?

germancho88
Engager
‎01-11-2022 07:21 AM

Hi, 

I have a problem in my infrastructure the logs are being duplicated, I am trying to identify from which origin (HF, UF, or Syslog) the logs are being sent, worse I have not been successful, any search ideas that can identify the origin that sent it , Thanks

 

Labels (3)
Labels
Tags (1)
0 Karma
Reply

germancho88
Engager
‎01-11-2022 08:17 AM

Thanks for your answer, at the moment of performing the search it is identified that logs are being duplicated by host, that host is the HF or UF or the source device that generated the event?, in that part I am confused

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-11-2022 07:54 AM

Hi @germancho88,

At first you have to understand what means duplicated logs, have you:

  • the same log event and the same metadata (host, sourcetype, index, source)?
  • the same log but different metadata

Knowing this, you have to understand if you receive the same log from one or more hosts.

In both cases you can list the hosts with duplicated logs and check on the Deployment Server is they are OF or HF, if you have logs from syslog or HEC, probably they are HF, otherwise UF.

Anyway, if you're sure that the full logs is duplicated, you could run something like this:

index=your_index
| stats values(host) AS host values(sourcetype) As sourcetype values(source) AS source values(index) As index count BY _raw
| where count>1

In this way you can understand what's the situation and you can debug your problem.

Generally, causes of duplicated logs could be:

  • clustered appliances or servers,
  • errors in inputs configurations.

Ciao.

Giuseppe

Reply

germancho88
Engager
‎01-11-2022 08:19 AM

Thanks for your answer, at the moment of performing the search it is identified that logs are being duplicated by host, that host is the HF or UF or the source device that generated the event?, in that part I am confused

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-11-2022 08:28 AM

Hi @germancho88,

to better understand you need:

are you speaking of logs from syslog or from servers with UF?

for this reason, the first check is to understand the metadata of your duplicated logs:

if you have more than one host, you have a cluster that send you logs twice;

Anyway, HFs only ingest own logs and syslogs and HEC, so if your duplicated logs aren't one of them, probably they come from UF, but anyway, first step is identify hosts with duplicated logs, then you can investigate to understand why.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...