Splunk is not extracting the correct host name fro...

jasicklick · ‎07-15-2016

We are forwarding the messages and secure file to our Splunk server via rsyslog. The files for each server are placed in a separate directory (/var/log/remote/year/month/day/server_name/messages and secure) and ingested into Splunk. Splunk is extracting the correct host name from the messages file, but not the secure file. Each of these files has the same format in regards to date and host name, but for some reason Splunk is assigning the value "splunkserver" as the host name for the contents of the secure file.

ontkanin · ‎07-16-2016

Add host_segment into your monitor input stanza(s).

For example:

[monitor:///var/log/remote/year/month/day/server_name/messages]
host_segment = 7
index = your_index
sourcetype = your_messages_sourcetype
disabled = 0

[monitor:///var/log/remote/year/month/day/server_name/secure]
host_segment = 7
index = your_index
sourcetype = your_secure_sourcetype
disabled = 0

It will use server_name (7th segment) from /var/log/remote/year/month/day/server_name/messages as a host name value.

somesoni2 · ‎07-16-2016

Since Splunk is extracting the host name from the file content, could you provide content of props.conf and transforms.con for these logs, based on sourcetype/source? Also, provide some sample log entries from both logs to validate the configuration. Scrub any sensitive data before posting the sample logs.

Another option, since your log location has a server name, why don't you capture the host using host_segment property in inputs.conf? provided they are the same.

sjaworski · ‎07-16-2016

What does your monitor stanza in your inputs.conf file look like?

Splunk is not extracting the correct host name from the secure file

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!