<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Splunk getting the hostname wrong from ESXi hosts in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-getting-the-hostname-wrong-from-ESXi-hosts/m-p/75548#M15401</link>
    <description>&lt;P&gt;If this has answered your question, please accept it. Thanks!&lt;/P&gt;</description>
    <pubDate>Thu, 01 Nov 2012 14:44:07 GMT</pubDate>
    <dc:creator>alacercogitatus</dc:creator>
    <dc:date>2012-11-01T14:44:07Z</dc:date>
    <item>
      <title>Splunk getting the hostname wrong from ESXi hosts</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-getting-the-hostname-wrong-from-ESXi-hosts/m-p/75546#M15399</link>
      <description>&lt;P&gt;I have Splunk crawling a /logs directory, which is where it receives most of its data. (/logs is populated via syslog-ng). In inputs.conf, I set host_ segment = 2 so that the hostname will be set to the second segment in the path. This has been working fine most of the time. Here is the inputs.conf stanza:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; [monitor:///logs]
 disabled = false
 sourcetype = syslog
 host_segment = 2
 blacklist = \.(bz2|gz)$
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;But suddenly I'm noticing some strange hostnames on my indexer... "list_ primary_ nodes", "add_ aam_ node", "find_  active_ primary", "shut_ down_ vmap_ proce" etc... I noticed that they're all coming from a series of new servers that have been sending logs to Splunk: ESXi hosts. &lt;/P&gt;

&lt;P&gt;The log path is correct: &lt;BR /&gt;
     /logs/HOSTNAME/2011/09/14/user&lt;/P&gt;

&lt;P&gt;Here is an event:&lt;/P&gt;

&lt;P&gt;09/14/11 19:31:56 [shut_ down_ vmap_ proce] attempt to stop VMap_ HOSTNAME failed.&lt;/P&gt;

&lt;P&gt;So why is it not setting the hostname to HOSTNAME? Why is it setting it to this other hostname that it's capturing from this, albeit unusual-looking, syslog? &lt;/P&gt;

&lt;P&gt;Thanks!&lt;/P&gt;</description>
      <pubDate>Wed, 14 Sep 2011 19:40:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-getting-the-hostname-wrong-from-ESXi-hosts/m-p/75546#M15399</guid>
      <dc:creator>Branden</dc:creator>
      <dc:date>2011-09-14T19:40:25Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk getting the hostname wrong from ESXi hosts</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-getting-the-hostname-wrong-from-ESXi-hosts/m-p/75547#M15400</link>
      <description>&lt;P&gt;It may be possible that a props.conf and/or transforms.conf are resetting the host to something extracted from the event. Check the $SPLUNK_HOME/systems/default/props and transforms files. The regex's on my install look like its pulling syslog host from the insides of the [] in your event, which can be a valid way for syslog to output the hostname. &lt;A href="http://tools.ietf.org/html/rfc5424#page-8"&gt;Check the RFC&lt;/A&gt; for standard syslog output (which apparently esxi doesn't comply to).&lt;/P&gt;

&lt;P&gt;I don't think your host_segment actually does anything, especially since the sourcetype is syslog, which gets a forced host any way. &lt;/P&gt;

&lt;P&gt;You may want to do something like having syslog dump the esxi hosts to "/logs/esxi" and doing a props on the source (ie [source...esxi.]) and set the host name with a regex that way.&lt;/P&gt;</description>
      <pubDate>Thu, 13 Oct 2011 21:22:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-getting-the-hostname-wrong-from-ESXi-hosts/m-p/75547#M15400</guid>
      <dc:creator>alacercogitatus</dc:creator>
      <dc:date>2011-10-13T21:22:32Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk getting the hostname wrong from ESXi hosts</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-getting-the-hostname-wrong-from-ESXi-hosts/m-p/75548#M15401</link>
      <description>&lt;P&gt;If this has answered your question, please accept it. Thanks!&lt;/P&gt;</description>
      <pubDate>Thu, 01 Nov 2012 14:44:07 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-getting-the-hostname-wrong-from-ESXi-hosts/m-p/75548#M15401</guid>
      <dc:creator>alacercogitatus</dc:creator>
      <dc:date>2012-11-01T14:44:07Z</dc:date>
    </item>
  </channel>
</rss>

