Getting Data In

Why is Docker Splunk UF sending logs with 2 different hostnames?

eddiemashayev
Path Finder

Docker-compose

splunkuf:
    image: splunk/universalforwarder:7.0.2
    network_mode: host
    environment:
      SPLUNK_START_ARGS: --accept-license --answer-yes
      SPLUNK_USER: root
      SPLUNK_CMD: install app /tmp/splunkclouduf.spl -auth admin:changeme
      SPLUNK_DEPLOYMENT_SERVER: XXXX.cloud.splunk.com:8089
      SPLUNK_ADD_1: monitor /docker/log
      SPLUNK_ADD_2: monitor /mnt/logs/postgres
    volumes:
      - /opt/splunk/etc
      - /opt/splunk/var
      - /var/log:/docker/log
      - $DATA_DIR/logs/postgres:/mnt/logs/postgres
      - $DATA_DIR/certs/splunkclouduf.spl:/tmp/splunkclouduf.spl

The container is running in Ubuntu instance. In Splunk cloud I can see 2 hostnames for the same instance:

  1. ubuntu
  2. The real hostname

Any reason why it happens?

0 Karma
1 Solution

eddiemashayev
Path Finder

Removing TRANSFORMS = syslog-host property from syslog source type in Splunk Cloud solved the issue

View solution in original post

0 Karma

eddiemashayev
Path Finder

Removing TRANSFORMS = syslog-host property from syslog source type in Splunk Cloud solved the issue

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...