Hi ddrillic,
I started to use a props.conf, transforms.conf setting to work around exactly this issue. It will add a meta data field containing the host that parsed the event therefore you will always know which Splunk instance parsed the events or where it came from.
Here is my config:
props.conf
[default]
TRANSFORMS-000-add-relay-info-to-meta = add-relay-info-to-meta
transforms.conf
[add-relay-info-to-meta]
FORMAT = splunk_hwf::<hostNameHere>
REGEX = .
WRITE_META = true
You can then search for index=_internal splunk_hwf::* to see the Splunk instance that pared the events.
The down side is that the hostname value needs to be hard coded, but I have an app that works around this as well 😉
Also be aware this will only work on non- INDEXED_EXTRACTIONS events, if you use a default parsing pipeline setup.
Hope this helps ...
cheers, MuS
UPDATE
The correct answer would be changing the connection_host in inputs.conf for the according [http...] stanza
connection_host = [ip|dns|proxied_ip|none]
* Specifies the host if an event doesn't have a host set.
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system
sending the data.
* "proxied_ip" checks whether an X-Forwarded-For header was sent
(presumably by a proxy server) and if so, sets the host to that value.
Otherwise, the IP address of the system sending the data is used.
* "none" leaves the host as specified in the HTTP header.
* No default.
... View more
