topic Re: dc01 and DC01 different host accoring to splunk in Getting Data In

dc01 and DC01 different host accoring to splunk

fisk12 — Wed, 01 Jun 2011 10:54:31 GMT

For some reason, splunk is showing one host as two, one as DC01 (example) and dc01. Is there any way to merge them?

Re: dc01 and DC01 different host accoring to splunk

mw — Wed, 01 Jun 2011 12:54:37 GMT

There are some known issues (bugs) regarding how hostnames are retrieved. Some of this is fairly difficult to control, e.g. if Splunk receives a logfile with dc01.fqdn in it, it would probably be difficult to normalize that. It could be a bad idea to just lop off the domain. However, there are cases where Splunk data sources (e.g. perfmon or WMI) don't use a consistent means to gather the hostname, which is stupid and hopefully being resolved soon. All hostnames should be lowercased and the same method should be used to retrieve the hostname when dealing with scripted inputs. I'm not sure how fqdn vs. short name should be handled though -- I think you're left with 2 entries in that case.

On the upside, searches are not case sensitive for field values, so "host=dc01" will retrieve events for dc01 and DC01".

Re: dc01 and DC01 different host accoring to splunk

I-Man — Wed, 01 Jun 2011 13:40:39 GMT

This has also been an issue for me. While collecting logs via WMI, sometimes a machine that has a hostname of dc01 will be pulled into Splunk as dc01, DC01, or even dc01.domain.org. As mw stated, searches are not case sensitive, so i can search for all logs from this host by using host="dc01*".

Re: dc01 and DC01 different host accoring to splunk

fisk12 — Wed, 01 Jun 2011 16:51:38 GMT

Yeah i guess its not that big of a deal. Is there any place where you can send a bug repport?

Its a bit more strange that the windows host dont show up in the windows app, just the search upp, you see all the WineventLog:Security etc but just in the search app.

Re: dc01 and DC01 different host accoring to splunk

I-Man — Wed, 01 Jun 2011 17:45:06 GMT

Bugs can be submitted here:
http://www.splunk.com/support

In my humble opinion, i didn't see much point to using the Windows app (maybe i did not spend enough time with it). Most of the default searches provided did not work with our data so i did everything from scratch in the search app. I use the search app for almost everything.

Happy Splunking!

Re: dc01 and DC01 different host accoring to splunk

fisk12 — Wed, 01 Jun 2011 17:48:15 GMT

Maybe you are right 🙂

Re: dc01 and DC01 different host accoring to splunk

twinspop — Thu, 02 Jun 2011 15:02:47 GMT

Yeah, that one's a pain. I just use eval to lower() the field that's causing me trouble:

... | eval host=lower(host)

As stated, search qualifiers will ignore case, but this will help with the stats grouping.