I installed Splunk 4.1 on a Ubuntu 10.4 system - nice and easy. I configured it to index ~ 7 files from the local /var/log/ path - splunk started to index - perfectly.
After I was experimenting with a second splunk server to send Windows Logs as a forwarder (I configured sending and receiving on tcp 9997) my Splunk server seemed stopped to index my files in /var/log. The counters stopped going up - only Messages from "Host=LOG01" (my server) seemed to update. Looking closer I discovered that all Logs formerly correctly identified as coming form different sources - presented nicely on my Search/Summary start page were stale and turning up under the LOG01 host - which is now displayed as the source of all log messages.
How to get the "source recognition" going again - so h´that my Logs are indexed with the correct source again
(you might guess that I am rather new to splunk)
Kindest Regards Robert
PS: another thing I did was switching from Enterprise to Free License ... but the Host correlation seemed to got lost before that ...
There are a couple ways Splunk determines hostname.
It sounds like you have scenario #3, where an input setting has a "host" value set to something. This will force all data on that input to be set to that host value.
hi Paolo - hi Simeon - thanks a lot for your help.
I edited my "$SPLUNK_HOME/etc/system/local/inputs.conf" and deleted the entry "host = LOG01" under "[default]" - just as you suspected .. I restarted splunk - but the logs are still all showing up under LOG01.
Physically the all my logs are on LOG01 - collected and rotated by Sysklogd - the default Ubuntu Syslogger. So Splunk just forgot how to idetifiy the true source.
I am not really sure what to look for. I not familiar with the term "stanza" - I will grep for a LOG01 - maybe I find some other input.conf's
Just to expand a bit on Simeon answer: in case #3 might it be that you had configured a "host=LOG01" line on the ubuntu server OUTSIDE the proper configuration stanza in inputs.conf? That might have overridden the standard settings present into $SPLUNK_HOME/etc/system/local/inputs.conf