I could see my license limit has reached for my syslog-ng. Can you please let me know how can I get a list of all the host which are getting data from syslog via syslog-ng to splunk?
I think your are getting data from syslog-ng by file monitor. If you are not overwriting source field, you can use it as a filter.
Let's say your syslog data creates file in /var/log/splunk/syslog/...
|tstats count where index=* source="/var/log/splunnk/syslog*" by host
View solution in original post
@scelikok Thanks Scelikok! it helped.