- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: lost my host correlation - alls logs seem sou...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lost my host correlation - alls logs seem sourced form local server
Hello -
I installed Splunk 4.1 on a Ubuntu 10.4 system - nice and easy. I configured it to index ~ 7 files from the local /var/log/ path - splunk started to index - perfectly.
After I was experimenting with a second splunk server to send Windows Logs as a forwarder (I configured sending and receiving on tcp 9997) my Splunk server seemed stopped to index my files in /var/log. The counters stopped going up - only Messages from "Host=LOG01" (my server) seemed to update. Looking closer I discovered that all Logs formerly correctly identified as coming form different sources - presented nicely on my Search/Summary start page were stale and turning up under the LOG01 host - which is now displayed as the source of all log messages.
How to get the "source recognition" going again - so h´that my Logs are indexed with the correct source again
(you might guess that I am rather new to splunk)
Kindest Regards Robert
PS: another thing I did was switching from Enterprise to Free License ... but the Host correlation seemed to got lost before that ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Robert. Did you ever resolve this issue? I am experiencing this as well except that source has been Splunk host since turning up.
Thanks, Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a couple ways Splunk determines hostname.
- Via an extracted and indexed field
- Via an extracted non-indexed field
- At index time via manual setting
It sounds like you have scenario #3, where an input setting has a "host" value set to something. This will force all data on that input to be set to that host value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi Paolo - hi Simeon - thanks a lot for your help.
I edited my "$SPLUNK_HOME/etc/system/local/inputs.conf" and deleted the entry "host = LOG01" under "[default]" - just as you suspected .. I restarted splunk - but the logs are still all showing up under LOG01.
Physically the all my logs are on LOG01 - collected and rotated by Sysklogd - the default Ubuntu Syslogger. So Splunk just forgot how to idetifiy the true source.
I am not really sure what to look for. I not familiar with the term "stanza" - I will grep for a LOG01 - maybe I find some other input.conf's
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to expand a bit on Simeon answer: in case #3 might it be that you had configured a "host=LOG01" line on the ubuntu server OUTSIDE the proper configuration stanza in inputs.conf? That might have overridden the standard settings present into $SPLUNK_HOME/etc/system/local/inputs.conf
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
