- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Getting two different host values for same hos...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting two different host values for same host.
I am getting two separate values in host field for the same host!
Both the values are:
Hostname and hostname.
I am not sure why it is coming because I am getting logs from only one host via Splunk Universal Forwarder but still in splunk I am getting two different values for them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You will need to create/edit the following files in $SPLUNK_HOME/etc/apps//local/:
props.conf
transforms.conf
NOTE: the following is just an example and should be modified to meet your requirements, using the relevant spec files for assistance:
props.conf:
[yourSourceTypeHere]
TRANSFORM-hostnametrans = hostoverride
transforms.conf:
[hostoverride]
REGEX = \w+\s+\d+\s+\d+\:\d+\:\d+\s+(?P<host>[^ ])
FORMAT = host::$1
DEST_KEY = MetaData:Host
You will need to restart Splunk to apply this change.
The following docs should be of use here...
http://docs.splunk.com/Documentation/Splunk/5.0/Data/overridedefaulthostassignments
http://docs.splunk.com/Documentation/Splunk/5.0/admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/5.0/admin/Transformsconf
refer: https://answers.splunk.com/answers/65379/override-host-field-value-at-search-time.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am aware with the host change methods. And I am not looking for solution to the problem.
What i would like to know is that the reason behind the problem. Because the logs are being forwarded from only 1 server that is also via Universal Forwarder. Then why am I getting two different host values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is there any host keyword present in your events...which is overriding it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No I am not overriding the data anywhere. And the installation of Universal Forwarder was also through GUI. So not overriding through any configuration files.
Also the data I am fetching are simple Windows Log Events which doesn't have other host keyword which can override the data.
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
Introducing the Splunk Community Dashboard Challenge!
