https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257837#M49544 <P>For someone else with this issue-- the sourcetype of "syslog" has a specific transform set up to pull out the hostname from the logs. It doesn't use the inputs.conf or server.conf name</P> <P>See this answer: <BR /> <A href="https://answers.splunk.com/answers/55751/host-field-getting-overwritten-in-syslog-processing.html">https://answers.splunk.com/answers/55751/host-field-getting-overwritten-in-syslog-processing.html</A></P> Thu, 19 Sep 2019 15:57:41 GMT ridwanahmed 2019-09-19T15:57:41Z https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257830#M49537 <P>'Morning...<BR /> I have a v6.5, clustered environment (deployment server), Universal Forwarder on all hosts.</P> <P>I am getting several Linux systems reporting in with two names, shortname and FQDN. But not all of them are doing this, even members of the same Server Class.</P> <P>It seems that all the shortnames are only pulling a <STRONG>sourcetype</STRONG> of <STRONG>syslog</STRONG> or <STRONG>linux_messages_syslog</STRONG> and are only <STRONG>source=/var/log/messages</STRONG>.</P> <P>The FQDNs are showing appropriate sourcetypes and sources (all under <STRONG>/var/log/</STRONG> -- but NOT messages).</P> <P>I have a very simple <STRONG>inputs.conf</STRONG> being deployed:</P> <P>[monitor:///var/log]<BR /> index = servers<BR /> disabled = 0</P> <P>I confirmed that syslog is not configured on these to also send to my heavy forwarders. They are reporting in to the Forwarder Management interface as one system (mixture of short and FQDN).</P> <P>I haven't found a lot of mentions of this here -- I guess this is not very common...?</P> <P>Thoughts?<BR /> Thanks!<BR /> Michael</P> Tue, 29 Sep 2020 11:59:48 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257830#M49537 Michael 2020-09-29T11:59:48Z https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257831#M49538 <P>Hi Michael,<BR /> If you have only forwarders and none syslog you have to verify the servername associated to the Splunk Forwarder.<BR /> You can verify it in your servers in $SPLUNK_HOME/etc/system/local/server.conf and in $SPLUNK_HOME/etc/system/local/inputs.conf.<BR /> Servername is associated at the installation time from the server hostname.<BR /> If you want, you can modify it but in both the conf files.<BR /> Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 11:59:50 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257831#M49538 gcusello 2020-09-29T11:59:50Z https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257832#M49539 <P>Yes, I know where to find the hostname, but thanks.</P> <P>For what it's worth, I've confirmed that both the inputs.conf and server.conf have the FQDN of the system.</P> <P>Even /etc/hostname on the system has the FQDN.</P> Tue, 29 Nov 2016 18:51:41 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257832#M49539 Michael 2016-11-29T18:51:41Z https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257833#M49540 <P>FYI, trying $decideonStartUp didn't seem to work. To recap:</P> <P>[monitor:///var/log]<BR /> host = $decideOnStartup<BR /> index = atl<BR /> disabled = 0</P> <P>Mix of FQDN and short names sending in these:<BR /> /var/log/audit/audit.log<BR /> /var/log/cron<BR /><BR /> /var/log/mcelog<BR /> /var/log/up2date<BR /> /var/log/rhsm/rhsm.log<BR /> etc...</P> <P>short only no FQDN<BR /> /var/log/messages</P> Mon, 13 Mar 2017 14:43:13 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257833#M49540 Michael 2017-03-13T14:43:13Z https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257834#M49541 <P>Are some of the logs duplicated, or is it either/or?</P> <P>If either/or, then can you post sanitized versions of each kind?</P> Mon, 13 Mar 2017 15:15:07 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257834#M49541 DalJeanis 2017-03-13T15:15:07Z https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257835#M49542 <P>None of them are duplicated.</P> <P>Of the three specific ones (in this section of my organization) that I'm narrowing down on, they send everything fine from /var/log/ using their FQDN -- but only the /var/log/messages file is reported using the short-name. They have other Linux (RHEL and CentOs) in that area that are reporting in using shortnames only. I'm trying to find out how they're different...</P> <P>Ah, I see why you wanted a sample of the logs -- the /var/log/message file <STRONG><EM>does</EM></STRONG> include the hostname (short) -- seems that Splunk is pulling the name from there.(?) In the other log files, it does <STRONG><EM>not</EM></STRONG> included a name -- so it's getting it from DNS (hence, the FQDN).</P> <P>i.e.: <BR /> Mar 13 06:18:29 <STRONG>servername</STRONG> dhclient[2958]: DHCPACK from 10.14.8.82 (xid=0x369db4ff)<BR /> v.s.<BR /> type=CRED_DISP msg=audit(1489419002.019:169929): user pid=26065 uid=0 auid=0 ses=25846 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'</P> <P>Is that where you were going with that? I still see other hosts in the same area that are reporting with the same syntax -- but they're <EM>not</EM> producing duplicate names.</P> <P>OK, now, how to fix that?</P> <P>(I love it when I'm apparently the only one "out there" that's experienced are particular issue... <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>Cheers,</P> Mon, 13 Mar 2017 15:40:36 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257835#M49542 Michael 2017-03-13T15:40:36Z https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257836#M49543 <P>Did you ever find a solution to this? I'm having a similar issue-- only <CODE>source=var/log/messages</CODE> goes to host=hostname, while the other logs have host=fqdn</P> <P>my inputs.conf--the only place where this host name is defined (it's not in server.conf)</P> <BLOCKQUOTE> <P>[default] <BR /> host = myhost.mydomain.com<BR /> [monitor:///var/log/messages] <BR /> disabled = false <BR /> sourcetype = syslog <BR /> index = myindex_1</P> </BLOCKQUOTE> <P>[monitor:///usr/local/tomcat/logs/logname.log] <BR /> disabled = false <BR /> sourcetype = log4j i<BR /> index = myindex_2</P> <BLOCKQUOTE> </BLOCKQUOTE> <P>Thanks for any comments.</P> Thu, 19 Sep 2019 14:53:39 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257836#M49543 ridwanahmed 2019-09-19T14:53:39Z https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257837#M49544 <P>For someone else with this issue-- the sourcetype of "syslog" has a specific transform set up to pull out the hostname from the logs. It doesn't use the inputs.conf or server.conf name</P> <P>See this answer: <BR /> <A href="https://answers.splunk.com/answers/55751/host-field-getting-overwritten-in-syslog-processing.html">https://answers.splunk.com/answers/55751/host-field-getting-overwritten-in-syslog-processing.html</A></P> Thu, 19 Sep 2019 15:57:41 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-host-names-being-reported-for-the-same-host/m-p/257837#M49544 ridwanahmed 2019-09-19T15:57:41Z