topic Getting two different host values for same host. in Getting Data In

Getting two different host values for same host.

jet1276 — Thu, 01 Feb 2018 05:45:41 GMT

I am getting two separate values in host field for the same host!

Both the values are:

Hostname and hostname.

I am not sure why it is coming because I am getting logs from only one host via Splunk Universal Forwarder but still in splunk I am getting two different values for them.

Re: Getting two different host values for same host.

493669 — Thu, 01 Feb 2018 05:57:19 GMT

Hi,

You will need to create/edit the following files in $SPLUNK_HOME/etc/apps//local/:

props.conf

transforms.conf

NOTE: the following is just an example and should be modified to meet your requirements, using the relevant spec files for assistance:

props.conf:

 [yourSourceTypeHere]
 TRANSFORM-hostnametrans = hostoverride

transforms.conf:

 [hostoverride]
 REGEX = \w+\s+\d+\s+\d+\:\d+\:\d+\s+(?P<host>[^ ])
 FORMAT = host::$1
 DEST_KEY = MetaData:Host

You will need to restart Splunk to apply this change.

The following docs should be of use here...

http://docs.splunk.com/Documentation/Splunk/5.0/Data/overridedefaulthostassignments
http://docs.splunk.com/Documentation/Splunk/5.0/admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/5.0/admin/Transformsconf
refer: https://answers.splunk.com/answers/65379/override-host-field-value-at-search-time.html

Re: Getting two different host values for same host.

jet1276 — Fri, 02 Feb 2018 05:56:15 GMT

Hi,

I am aware with the host change methods. And I am not looking for solution to the problem.

What i would like to know is that the reason behind the problem. Because the logs are being forwarded from only 1 server that is also via Universal Forwarder. Then why am I getting two different host values.

Re: Getting two different host values for same host.

493669 — Fri, 02 Feb 2018 06:06:05 GMT

is there any host keyword present in your events...which is overriding it

Re: Getting two different host values for same host.

jet1276 — Fri, 02 Feb 2018 06:18:15 GMT

No I am not overriding the data anywhere. And the installation of Universal Forwarder was also through GUI. So not overriding through any configuration files.

Also the data I am fetching are simple Windows Log Events which doesn't have other host keyword which can override the data.