Hi,
I've taken on an existing Splunk environment that has had some non-standard things happen to it.
In the process of bringing it back to standard I found that some data was appearing in the default index 'main'.
First thing I found was that apps existed on the UF that the Deployment Server didn't know about and they were sending some of this data. I've fixed that but still data is arriving in main.
When I check on any host UF that is appearing in main, there are no enabled inputs.
The only sourcetypes appearing in main are:
ActiveDirectory
Perfmon:Available Memory
Perfmon:CPU Load
Perfmon:Free Disk Space
Perfmon:Network Interface
WinEventLog:Application
WinEventLog:Security
WinEventLog:System
so it looks like windows apps running somewhere, that the DS does not know about, are setting the host field for the incoming data.
How can I find the actual forwarder so I can stop these logs?
Thanks ...Laurie:{)
... View more