Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: lost my host correlation - alls logs seem sou...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lost my host correlation - alls logs seem sourced form local server
Hello -
I installed Splunk 4.1 on a Ubuntu 10.4 system - nice and easy. I configured it to index ~ 7 files from the local /var/log/ path - splunk started to index - perfectly.
After I was experimenting with a second splunk server to send Windows Logs as a forwarder (I configured sending and receiving on tcp 9997) my Splunk server seemed stopped to index my files in /var/log. The counters stopped going up - only Messages from "Host=LOG01" (my server) seemed to update. Looking closer I discovered that all Logs formerly correctly identified as coming form different sources - presented nicely on my Search/Summary start page were stale and turning up under the LOG01 host - which is now displayed as the source of all log messages.
How to get the "source recognition" going again - so h´that my Logs are indexed with the correct source again
(you might guess that I am rather new to splunk)
Kindest Regards Robert
PS: another thing I did was switching from Enterprise to Free License ... but the Host correlation seemed to got lost before that ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Robert. Did you ever resolve this issue? I am experiencing this as well except that source has been Splunk host since turning up.
Thanks, Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a couple ways Splunk determines hostname.
- Via an extracted and indexed field
- Via an extracted non-indexed field
- At index time via manual setting
It sounds like you have scenario #3, where an input setting has a "host" value set to something. This will force all data on that input to be set to that host value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi Paolo - hi Simeon - thanks a lot for your help.
I edited my "$SPLUNK_HOME/etc/system/local/inputs.conf" and deleted the entry "host = LOG01" under "[default]" - just as you suspected .. I restarted splunk - but the logs are still all showing up under LOG01.
Physically the all my logs are on LOG01 - collected and rotated by Sysklogd - the default Ubuntu Syslogger. So Splunk just forgot how to idetifiy the true source.
I am not really sure what to look for. I not familiar with the term "stanza" - I will grep for a LOG01 - maybe I find some other input.conf's
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to expand a bit on Simeon answer: in case #3 might it be that you had configured a "host=LOG01" line on the ubuntu server OUTSIDE the proper configuration stanza in inputs.conf? That might have overridden the standard settings present into $SPLUNK_HOME/etc/system/local/inputs.conf
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
