Splunk Search
Highlighted

How to identify a raw events splunk instance origin

Motivator

Does anyone know how to identify the splunk instance from which a raw event was forwarded?
Note: this could either be a heavy or a universal forwarder.

I might have expected to see a field that had this information but I can't see to find it.

I am looking to prove where specific already indexed messages came from.

The issue I have is that I believe a second forwarder instance was accidentally started on the same machine and it that forwarded the same events to the same index. We converted from a heavy to a universal but the heavy was restarted during an OS reboot (forgot to run the boot-start command i expect).

A "| dedup _raw" fixes it for future searches but I am just interested in how I could specifically identify the source. Ideally so I can filter these results with a |delete also 😉

Thanks.

Tags (3)
0 Karma
Highlighted

Re: How to identify a raw events splunk instance origin

Motivator

Well, it seems that you can't indentify the source splunk instance.

View solution in original post

0 Karma