I realized the other day we are no longer seeing instances of $decideonstartup in the host field for some of our logs but we are seeing where some logs show up with a host name of "." I don't know if these are the same servers just with a newer agent version or what. At any rate I've been able to come up with a few ways to narrow down which servers these actually are but I'm in a very distributed environment where I don't have actual access to the servers. One thing I found interesting this morning is in the initial startup logs for an agent it does report the correct name value in what I suspect is the server.conf file and somewhere else BUT the host field is still showing "."
My questions then are
1. Any idea which files to update to fix this? I suspect $SPLUNK_HOME/etc/system/local/inputs.conf
2. Any idea why this is showing up like it is?
3. Sure would be interested in figuring out a way to correct the issue via my Splunk deployment server
Example logs
3/12/14
4:39:46.190 PM 03-12-2014 16:39:46.190 -0400 INFO ServerConfig - My hostname is "wuzzle".
host = . source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd
3/12/14 4:39:46.190 PM 03-12-2014 16:39:46.190 -0400 INFO ServerConfig - My server name is "wuzzle".
host = . source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd
Check what is your default host name for all your data,
It should setup a first start, base on the result of the command "hostname", and stored on the file
$SPLUNK_HOME/etc/system/local/inputs.conf
[default]
host= myhostname