I am getting two separate values in host field for the same host!
Both the values are:
Hostname and hostname.
I am not sure why it is coming because I am getting logs from only one host via Splunk Universal Forwarder but still in splunk I am getting two different values for them.
Hi,
You will need to create/edit the following files in $SPLUNK_HOME/etc/apps//local/:
props.conf
transforms.conf
NOTE: the following is just an example and should be modified to meet your requirements, using the relevant spec files for assistance:
props.conf:
[yourSourceTypeHere]
TRANSFORM-hostnametrans = hostoverride
transforms.conf:
[hostoverride]
REGEX = \w+\s+\d+\s+\d+\:\d+\:\d+\s+(?P<host>[^ ])
FORMAT = host::$1
DEST_KEY = MetaData:Host
You will need to restart Splunk to apply this change.
The following docs should be of use here...
http://docs.splunk.com/Documentation/Splunk/5.0/Data/overridedefaulthostassignments
http://docs.splunk.com/Documentation/Splunk/5.0/admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/5.0/admin/Transformsconf
refer: https://answers.splunk.com/answers/65379/override-host-field-value-at-search-time.html
Hi,
I am aware with the host change methods. And I am not looking for solution to the problem.
What i would like to know is that the reason behind the problem. Because the logs are being forwarded from only 1 server that is also via Universal Forwarder. Then why am I getting two different host values.
is there any host
keyword present in your events...which is overriding it
No I am not overriding the data anywhere. And the installation of Universal Forwarder was also through GUI. So not overriding through any configuration files.
Also the data I am fetching are simple Windows Log Events which doesn't have other host
keyword which can override the data.