Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there any way to find all the Splunk instances that has processed the event

VatsalJagani
SplunkTrust
SplunkTrust
‎04-12-2022 04:22 AM

Please checkout the idea here (because I don't think currently it's possible with Splunk unless someone has some workaround or solution that I don't know) - https://ideas.splunk.com/ideas/EID-I-1417

 

(Coping the same content here, recommend upvoting the idea if you think this is currently not possible with Splunk today.)

Does anyone know if it is possible to add metadata field(s) to identify all the Splunk instances that have processed a particular event?

Let me explain, for example, I'm collecting WinEventLog from instance1 using UF, which is forwarding the logs to an instance2 which is intermediate UF, that is forwarding to intermediate HF (instance3), which is forwarding the data to Indexer (idx1).

instance1 (UF) -> instance2 (I UF) -> instance3 (I HF) -> idx1 (Indexer)

I want to see if there is a way to get a meta field (indexed time field) that tells the full sequence of where a particular event has traveled through (only Splunk instances of course).

This would be useful in complex environment troubleshooting. Even having this as part of debugging we can enable some parameters that can enable this functionality.

I don't think currently it's possible unless someone has some workaround or solution.
Labels (4)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-12-2022 05:10 AM

No. Unless you do some kind of metadata manipulation (which still is restricted to limited points in your infrastructure, especially in multi-layered architecture), you have no knowledge regarding intermediate steps in event's path. This is probably one of the reason for alternative syslog-receiving solutions (like sc4s or some custom rsyslog-based solutions), because by default you get no additional metadata short of a general "source" field telling usually some kind of "tcp:514" or something equally useless.

Normally with an event you only get the "standard" fields - source, host, sourcetype and that's it.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...