Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

host name has '.' appended to it

mfrost8
Builder
‎11-11-2011 07:44 AM

We've started noticing that some of the data from our Linux universal forwarders are being sent with a '.' appended to the indexed hostname. We've been running the 4.2.4 universal forwarder for a while now.

We're seeing a mixture of events from these hosts, some with the indexed hostname set to "host" and some with the name set to "host.". I've never seen this before.

I checked the hostname on each of the 4 servers we see this on, and none have the '.' appended. It's not in /etc/hosts either.

It's unclear where Splunk is getting this host value from, but in some cases it's clearly wrong. Has anyone seen this before?

Thanks

Tags (1)
0 Karma
Reply

mfrost8
Builder
‎11-11-2011 02:40 PM

Curiously, we had a reason to reboot these servers later today. When we did this issue cleared up completely.

0 Karma
Reply

mfrost8
Builder
‎11-11-2011 09:48 AM

I did reverse lookups on all of these host IPs and they are all fully-qualified names in the correct form we'd expect. We are logging a tree full of different apache virtual servers -- all in the same way. That is, there's one set of rules for access.log and error.log in the whole tree. No other unique monitoring for Splunk on this server. Thanks.

0 Karma
Reply

Drainy
Champion
‎11-11-2011 09:04 AM

I have seen this happen with DNS lookups on an internal windows DNS server before, is that similar to this setup and is it possible there is something logging on the box that is either having a DNS lookup done on its IP or perhaps is trying to lookup itself?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...