Hi Guys,
We can see there are 6 hosts which are sending bulk events (logs) to splunk. But we don’t know who is using these host events in spunk. Is there any way we can identify the searches, reports, alerts or dashboards where these hosts events are being used. The purpose is if no where these logs are being used then we can stop the forwarders from those hosts.
please try this
index=_* sourcetype=audittrail action=search host=host1 OR host=host2 OR host=host3 OR host=host4 OR host=host5 OR host=host6 | stats count BY user host | sort 0 - count | stats list(*) AS * BY user
Hi @roopeshetty
can you explain better your use-case?
you received logs from 6 hosts, right?
can you indentify the hosts with the hosts field?
for each host is configured a uf?
Thanks
Alessandro