Got a random notification for this thread and realized I knew more than I did then.. You're absolutely correct here. The `provenance` field gathered from _introspection enables you to fit where the search was initiated from! Here's a generalized introspection search for everyone: index=_introspection sourcetype=splunk_resource_usage component=PerProcess data.search_props.sid::*
data.search_props.role="head"
| fields _time, data.*, host
| eval label = if(isnotnull('data.search_props.label'), 'data.search_props.label', "")
| eval provenance = if(isnotnull('data.search_props.provenance'), 'data.search_props.provenance', "unknown")
| eval read_mb = 'data.read_mb'
| eval written_mb = 'data.written_mb'
| eval process = 'data.process'
| eval pid = 'data.pid'
| eval elapsed = 'data.elapsed'
| eval mem_used = 'data.mem_used'
| eval mem = 'data.mem'
| eval pct_memory = 'data.pct_memory'
| eval pct_cpu = 'data.pct_cpu'
| eval sid = 'data.search_props.sid'
| eval app = 'data.search_props.app'
| eval label = 'data.search_props.label'
| eval type = 'data.search_props.type'
| eval mode = 'data.search_props.mode'
| eval user = 'data.search_props.user'
| eval role = 'data.search_props.role'
| fields _time, host, process, pid, elapsed, mem_used, mem, pct_memory, pct_cpu, sid, app, label, type, mode, user, label, provenance, read_mb, written_mb
| stats latest(*) AS * BY sid
... View more