Does anyone know how to identify the splunk instance from which a raw event was forwarded?
Note: this could either be a heavy or a universal forwarder.
I might have expected to see a field that had this information but I can't see to find it.
I am looking to prove where specific already indexed messages came from.
The issue I have is that I believe a second forwarder instance was accidentally started on the same machine and it that forwarded the same events to the same index. We converted from a heavy to a universal but the heavy was restarted during an OS reboot (forgot to run the boot-start command i expect).
A "| dedup _raw" fixes it for future searches but I am just interested in how I could specifically identify the source. Ideally so I can filter these results with a |delete also 😉
Thanks.
Well, it seems that you can't indentify the source splunk instance.