Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is Host "localhost" when inputs.conf set-up to use custom name?

tbertran
New Member
‎05-01-2011 09:51 PM

Hi all,

I'm using a straight forward splunk install (no forwarder, no external input source) on my server. Below is an extract from my inputs.conf:

[monitor:///private/var/log]

disabled = false

followTail = 1

host = MyHostName

ignoreOlderThan = 30d

blacklist = (.bz2$|krb5kdc|appfirewall.log)

index = logs

crcSalt = <SOURCE>

Most of the events from this file show up correctly under the MyHostName host but a small portion shows up under localhost like this one:

May 1 14:34:34 localhost configd[14]: network configuration changed.

This is presumably happening because the word localhost appears in the event but I don't care what word appears in the event, I don't want the host name to be anything other than what I set in inputs.conf.

I'm hoping it can be solved without resorting to the transforms.conf, which feels like overkill for this simple issue.

Thanks for the help.

Tags (2)
0 Karma
Reply

southeringtonp
Motivator
‎05-03-2011 06:39 AM

If most of your events are showing the correct host=MyHostName, then it sounds like you're already using transforms.conf to override a subset of the events. Splunk does this out-of-the-box for [syslog] and a few other sourcetypes, but you can disable it.

Check the sourcetypes of the incorrect events - they're probably all showing up as syslog or similar.

Try adding the following in props.conf:

[source::/private/var/log/*]
TRANSFORMS=
TRANSFORMS-host=

You may only need one of the two TRANSFORMS= lines above - most of the default host override use TRANSFORMS, but if you're running postfix, you'll also need to reset TRANSFORMS-host.

Edit:

There are two possible reasons why some events would show localhost and some MyHostName...

  1. Your raw syslog data contains localhost for some events, and MyHostName for others. Splunk is extracting the value it sees.

  2. Transform-based host assignment uses a regular expression to pull out the new value of hostname. If the regex doesn't match, it will fall back to using the value you set in the .conf files.

For more information on how overriding of the hostname works, take a look at:

    
http://www.splunk.com/base/Documentation/4.2/Data/overridedefaulthostassignments.

To see the default transforms used for syslog events, look in the following two files:

    $SPLUNK_HOME/etc/system/default/transforms.conf

    $SPLUNK_HOME/etc/system/default/props.conf

Reply

southeringtonp
Motivator
‎05-09-2011 07:40 AM

See edits above. It doesn't matter that you didn't set up a transform -- there's one in effect by default. The above instructions will turn it off. Field extraction based on the transform will take precedence over the value you set in inputs.conf. As for the ones that look right, either the transform isn't matching those events, or it's acutally overriding it, but with the same value.

0 Karma
Reply

tbertran
New Member
‎05-08-2011 09:17 PM

Hi, thanks for your help. I'm only talking about the one file /private/var/log whose sourcetype is syslog. To clarify, most events for that one source will show a host name of MyHostName (because of my hardcoding the host in inputs.conf) and some events will show localhost as a hostname. I don't see why those events do not have a hostname of MyHostName.

0 Karma
Reply

southeringtonp
Motivator
‎05-03-2011 10:33 AM

To clarify - please edit your question and say what the sourcetypes are for your incorrect data. Splunk has default transforms.conf entries for syslog events that will be in effect unless you have explicitly turned them off (see $SPLUNK_HOME/etc/system/default/transforms.conf)

0 Karma
Reply

tbertran
New Member
‎05-03-2011 10:31 AM

Thanks for your response. No, I'm not using transforms.conf, the host name is set in inputs.conf as shown in my original post and it mostly works but I can't explain why it doesn't always work.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top