https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570777#M101148 <P>My mystery continues.&nbsp; On the UF causing the problem.&nbsp; Restatement:&nbsp; Collecting PaloAlto logs from multiple UF's, all via distributed inputs.conf below.&nbsp; (1) UF however is reporting the host as PaloAlto.&nbsp; Searched through all ./apps/* for possible conf that was overwriting of host_segment and none found.&nbsp;</P><P>Final test, changed target directory AND inputs.conf below from */logs/PaloAlto to */logs/PA using a name that would not have been used in any transforms, etc.&nbsp; Rules out any offending and hidden renaming of host.<BR /><BR />Outcome, the events now show host=PA, even though 'host_segment = 4'</P><P>&nbsp;</P><LI-CODE lang="markup">[monitor:///app01/logs/ASA] whitelist = .+\.log$ host_segment = 4 index = syn_netfw sourcetype = cisco:asa ignoreOlderThan = 2d disabled = 0 [monitor:///app01/logs/PaloAlto] whitelist = .+\.log$ host_segment = 4 index = syn_netfw sourcetype = pan:log ignoreOlderThan = 2d disabled = 0</LI-CODE><P>&nbsp;</P> Wed, 13 Oct 2021 13:21:54 GMT tlmayes 2021-10-13T13:21:54Z https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570216#M101067 <P>I am using the following in a configuration being distributed to several remote syslog servers.&nbsp; Works as expected on all UF's, except 1.&nbsp; From a single UF's, the 'host' field in the indexed events is being reported as "PaloAlto" instead of the 4th segment as expected?&nbsp;<BR /><BR />I searched through all of the .conf files on the UF manually and used BTOOL looking for a missed "host_segment" entry or something hidden in another config that would cause this, none found.&nbsp;</P><P>Am I am missing something obvious to the rest of you?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[monitor:///app01/logs/ASA] whitelist = .+\.log$ host_segment = 4 index = syn_netfw sourcetype = cisco:asa ignoreOlderThan = 2d disabled = 0 [monitor:///app01/logs/PaloAlto] whitelist = .+\.log$ host_segment = 4 index = syn_netfw sourcetype = pan:log ignoreOlderThan = 2d disabled = 0</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 08 Oct 2021 12:58:36 GMT https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570216#M101067 tlmayes 2021-10-08T12:58:36Z https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570219#M101068 <P>Is the sourcetype assignment correct on the 1 UF?</P><P>The host value can be overridden during Event parsing on HF/Indexer, so you may want to check if some TRANSFORM is applied to that sourcetype.</P> Fri, 08 Oct 2021 13:08:04 GMT https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570219#M101068 somesoni2 2021-10-08T13:08:04Z https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570270#M101078 <P>Thanks.&nbsp; Will have to start eliminating Apps until this problem resolves</P> Fri, 08 Oct 2021 17:34:55 GMT https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570270#M101078 tlmayes 2021-10-08T17:34:55Z https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570313#M101081 <P>Are you sure that Palo sends the logs in the format you're expecting? Some solutions name their log sending "syslog" but send something that doesn't conform to any standards.</P> Sat, 09 Oct 2021 06:35:53 GMT https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570313#M101081 PickleRick 2021-10-09T06:35:53Z https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570320#M101083 <P>Sourcetype assignment is distributed as an app from the DS to all UF's, so is 100% identical on all UF's.&nbsp;&nbsp;</P> Sat, 09 Oct 2021 12:12:48 GMT https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570320#M101083 tlmayes 2021-10-09T12:12:48Z https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570509#M101100 <P>Thanks.&nbsp; All data passes directly from the UF to the Indexers.&nbsp; Same process on 4 UF's, but one acting weird <span class="lia-unicode-emoji" title=":face_with_rolling_eyes:">🙄</span></P><P>&nbsp;</P> Mon, 11 Oct 2021 18:30:49 GMT https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570509#M101100 tlmayes 2021-10-11T18:30:49Z https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570777#M101148 <P>My mystery continues.&nbsp; On the UF causing the problem.&nbsp; Restatement:&nbsp; Collecting PaloAlto logs from multiple UF's, all via distributed inputs.conf below.&nbsp; (1) UF however is reporting the host as PaloAlto.&nbsp; Searched through all ./apps/* for possible conf that was overwriting of host_segment and none found.&nbsp;</P><P>Final test, changed target directory AND inputs.conf below from */logs/PaloAlto to */logs/PA using a name that would not have been used in any transforms, etc.&nbsp; Rules out any offending and hidden renaming of host.<BR /><BR />Outcome, the events now show host=PA, even though 'host_segment = 4'</P><P>&nbsp;</P><LI-CODE lang="markup">[monitor:///app01/logs/ASA] whitelist = .+\.log$ host_segment = 4 index = syn_netfw sourcetype = cisco:asa ignoreOlderThan = 2d disabled = 0 [monitor:///app01/logs/PaloAlto] whitelist = .+\.log$ host_segment = 4 index = syn_netfw sourcetype = pan:log ignoreOlderThan = 2d disabled = 0</LI-CODE><P>&nbsp;</P> Wed, 13 Oct 2021 13:21:54 GMT https://community.splunk.com/t5/Getting-Data-In/host-segment-being-overridden/m-p/570777#M101148 tlmayes 2021-10-13T13:21:54Z