Getting Data In

lost my host correlation - alls logs seem sourced form local server

New Member

Hello -

I installed Splunk 4.1 on a Ubuntu 10.4 system - nice and easy. I configured it to index ~ 7 files from the local /var/log/ path - splunk started to index - perfectly.

After I was experimenting with a second splunk server to send Windows Logs as a forwarder (I configured sending and receiving on tcp 9997) my Splunk server seemed stopped to index my files in /var/log. The counters stopped going up - only Messages from "Host=LOG01" (my server) seemed to update. Looking closer I discovered that all Logs formerly correctly identified as coming form different sources - presented nicely on my Search/Summary start page were stale and turning up under the LOG01 host - which is now displayed as the source of all log messages.

How to get the "source recognition" going again - so h´that my Logs are indexed with the correct source again

(you might guess that I am rather new to splunk)

Kindest Regards Robert

PS: another thing I did was switching from Enterprise to Free License ... but the Host correlation seemed to got lost before that ...

0 Karma

New Member

Hello Robert. Did you ever resolve this issue? I am experiencing this as well except that source has been Splunk host since turning up.

Thanks, Chris

0 Karma

Splunk Employee
Splunk Employee

There are a couple ways Splunk determines hostname.

  1. Via an extracted and indexed field
  2. Via an extracted non-indexed field
  3. At index time via manual setting

It sounds like you have scenario #3, where an input setting has a "host" value set to something. This will force all data on that input to be set to that host value.

0 Karma

New Member

hi Paolo - hi Simeon - thanks a lot for your help.

I edited my "$SPLUNK_HOME/etc/system/local/inputs.conf" and deleted the entry "host = LOG01" under "[default]" - just as you suspected .. I restarted splunk - but the logs are still all showing up under LOG01.

Physically the all my logs are on LOG01 - collected and rotated by Sysklogd - the default Ubuntu Syslogger. So Splunk just forgot how to idetifiy the true source.

I am not really sure what to look for. I not familiar with the term "stanza" - I will grep for a LOG01 - maybe I find some other input.conf's

0 Karma

Just to expand a bit on Simeon answer: in case #3 might it be that you had configured a "host=LOG01" line on the ubuntu server OUTSIDE the proper configuration stanza in inputs.conf? That might have overridden the standard settings present into $SPLUNK_HOME/etc/system/local/inputs.conf

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!