I realized the other day we are no longer seeing instances of $decideonstartup in the host field for some of our logs but we are seeing where some logs show up with a host name of "." I don't know if these are the same servers just with a newer agent version or what. At any rate I've been able to come up with a few ways to narrow down which servers these actually are but I'm in a very distributed environment where I don't have actual access to the servers. One thing I found interesting this morning is in the initial startup logs for an agent it does report the correct name value in what I suspect is the server.conf file and somewhere else BUT the host field is still showing "."
My questions then are
1. Any idea which files to update to fix this? I suspect $SPLUNK_HOME/etc/system/local/inputs.conf
2. Any idea why this is showing up like it is?
3. Sure would be interested in figuring out a way to correct the issue via my Splunk deployment server
4:39:46.190 PM 03-12-2014 16:39:46.190 -0400 INFO ServerConfig - My hostname is "wuzzle".