<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: wrong HOST value in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/wrong-HOST-value/m-p/21306#M3157</link>
    <description>&lt;P&gt;The easiest way to solve this problem is by specifying a &lt;CODE&gt;sourcetype&lt;/CODE&gt; other than &lt;CODE&gt;syslog&lt;/CODE&gt; in &lt;CODE&gt;inputs.conf&lt;/CODE&gt;.&lt;/P&gt;

&lt;P&gt;For example, try:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[monitor:///var/log/syslog]
disabled = false
host = abc.mydomain.com
sourcetype = notsyslog
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;For data believed to be syslog, Splunk will try to extract the host from each line. This usually is what's wanted, but that's not always the case. Chris R.'s suggestion is close, but will not work, since at the time that &lt;CODE&gt;props.conf&lt;/CODE&gt; is consulted for this data, the &lt;CODE&gt;host&lt;/CODE&gt; is set to &lt;CODE&gt;abc.mydomain.com&lt;/CODE&gt;, as you configured. It's the regex mechanism that's responsible for changing it.&lt;/P&gt;</description>
    <pubDate>Wed, 25 Aug 2010 10:10:00 GMT</pubDate>
    <dc:creator>Stephen_Sorkin</dc:creator>
    <dc:date>2010-08-25T10:10:00Z</dc:date>
    <item>
      <title>wrong HOST value</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/wrong-HOST-value/m-p/21304#M3155</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;I have a forwarder sending a syslog file to the receiver.  The syslog has entries like: &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Jul 27 09:50:21 ip-10-196-173-139 postfix .....
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;And I don't want the "ip-10-196-173-139" to show up as the "host" on the receiver when doing searches.  So I edited the "inputs.conf" like this:&lt;/P&gt;

&lt;P&gt;&lt;/P&gt;&lt;HR /&gt;&lt;P&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[default]
host = abc.mydomain.com

[monitor:///var/log/syslog]
disabled = false
host = abc.mydomain.com
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;&lt;/P&gt;&lt;HR /&gt;&lt;P&gt;&lt;/P&gt;

&lt;P&gt;I did this in a bunch of places since nothing seemed to work:&lt;/P&gt;

&lt;P&gt;/opt/splunk/etc/system/local/inputs.conf&lt;/P&gt;

&lt;P&gt;/opt/splunk/etc/apps/search/local/inputs.conf&lt;/P&gt;

&lt;P&gt;/opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf&lt;/P&gt;

&lt;P&gt;I also tried restarting Splunk (both on forwarder and receiver).  But I'm still seeing
the "ip-10-196-173-139" as the host on the receiver side when doing searches.  &lt;/P&gt;

&lt;P&gt;This is driving me crazy.  Can anyone help?&lt;/P&gt;

&lt;P&gt;Thanks!
Sunny&lt;/P&gt;</description>
      <pubDate>Wed, 28 Jul 2010 00:50:45 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/wrong-HOST-value/m-p/21304#M3155</guid>
      <dc:creator>sunnykkim</dc:creator>
      <dc:date>2010-07-28T00:50:45Z</dc:date>
    </item>
    <item>
      <title>Re: wrong HOST value</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/wrong-HOST-value/m-p/21305#M3156</link>
      <description>&lt;P&gt;Hello Sunny,&lt;/P&gt;

&lt;P&gt;Since Splunk syslog's default extractions are taken directly from the event data, you have to override it another way.
Try these settings all on your indexer(receiver).&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;$SPLUNK_HOME/etc/system/local/props.conf  
[host::ip-10-196-173-139]  
TRANSFORMS = newhost  

$SPLUNK_HOME/etc/system/local/transforms.conf   
[newhost]  
DEST_KEY = MetaData:Host   
REGEX = .  
FORMAT = host::newhostname.domain.com  
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;If you have more then just syslog data coming from this host, you may need to set a custom sourcetype on your forwarder to filter off instead of your host in props.conf.
let me know how it goes.&lt;/P&gt;</description>
      <pubDate>Wed, 28 Jul 2010 06:41:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/wrong-HOST-value/m-p/21305#M3156</guid>
      <dc:creator>Chris_R_</dc:creator>
      <dc:date>2010-07-28T06:41:22Z</dc:date>
    </item>
    <item>
      <title>Re: wrong HOST value</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/wrong-HOST-value/m-p/21306#M3157</link>
      <description>&lt;P&gt;The easiest way to solve this problem is by specifying a &lt;CODE&gt;sourcetype&lt;/CODE&gt; other than &lt;CODE&gt;syslog&lt;/CODE&gt; in &lt;CODE&gt;inputs.conf&lt;/CODE&gt;.&lt;/P&gt;

&lt;P&gt;For example, try:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[monitor:///var/log/syslog]
disabled = false
host = abc.mydomain.com
sourcetype = notsyslog
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;For data believed to be syslog, Splunk will try to extract the host from each line. This usually is what's wanted, but that's not always the case. Chris R.'s suggestion is close, but will not work, since at the time that &lt;CODE&gt;props.conf&lt;/CODE&gt; is consulted for this data, the &lt;CODE&gt;host&lt;/CODE&gt; is set to &lt;CODE&gt;abc.mydomain.com&lt;/CODE&gt;, as you configured. It's the regex mechanism that's responsible for changing it.&lt;/P&gt;</description>
      <pubDate>Wed, 25 Aug 2010 10:10:00 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/wrong-HOST-value/m-p/21306#M3157</guid>
      <dc:creator>Stephen_Sorkin</dc:creator>
      <dc:date>2010-08-25T10:10:00Z</dc:date>
    </item>
    <item>
      <title>Re: wrong HOST value</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/wrong-HOST-value/m-p/21307#M3158</link>
      <description>&lt;P&gt;For most of my systems the syslog host only contains the short form "host", and not the fully  qualified domain name; which is what I want to see in splunk.  So I use a transformer (like what Chris R suggests) to simply append a static domain name to my short host.&lt;/P&gt;

&lt;P&gt;If this sounds helpful, you can check it out here:&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;&lt;A href="http://answers.splunk.com/questions/1673/hostname-rename-using-transforms/1686#1686" rel="nofollow"&gt;hostname rename using TRANSFORMS&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Wed, 25 Aug 2010 10:17:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/wrong-HOST-value/m-p/21307#M3158</guid>
      <dc:creator>Lowell</dc:creator>
      <dc:date>2010-08-25T10:17:43Z</dc:date>
    </item>
  </channel>
</rss>

