Getting Data In

lost my host correlation - alls logs seem sourced form local server

New Member

Hello -

I installed Splunk 4.1 on a Ubuntu 10.4 system - nice and easy. I configured it to index ~ 7 files from the local /var/log/ path - splunk started to index - perfectly.

After I was experimenting with a second splunk server to send Windows Logs as a forwarder (I configured sending and receiving on tcp 9997) my Splunk server seemed stopped to index my files in /var/log. The counters stopped going up - only Messages from "Host=LOG01" (my server) seemed to update. Looking closer I discovered that all Logs formerly correctly identified as coming form different sources - presented nicely on my Search/Summary start page were stale and turning up under the LOG01 host - which is now displayed as the source of all log messages.

How to get the "source recognition" going again - so h´that my Logs are indexed with the correct source again

(you might guess that I am rather new to splunk)

Kindest Regards Robert

PS: another thing I did was switching from Enterprise to Free License ... but the Host correlation seemed to got lost before that ...

0 Karma

New Member

Hello Robert. Did you ever resolve this issue? I am experiencing this as well except that source has been Splunk host since turning up.

Thanks, Chris

0 Karma

Splunk Employee
Splunk Employee

There are a couple ways Splunk determines hostname.

  1. Via an extracted and indexed field
  2. Via an extracted non-indexed field
  3. At index time via manual setting

It sounds like you have scenario #3, where an input setting has a "host" value set to something. This will force all data on that input to be set to that host value.

0 Karma

New Member

hi Paolo - hi Simeon - thanks a lot for your help.

I edited my "$SPLUNK_HOME/etc/system/local/inputs.conf" and deleted the entry "host = LOG01" under "[default]" - just as you suspected .. I restarted splunk - but the logs are still all showing up under LOG01.

Physically the all my logs are on LOG01 - collected and rotated by Sysklogd - the default Ubuntu Syslogger. So Splunk just forgot how to idetifiy the true source.

I am not really sure what to look for. I not familiar with the term "stanza" - I will grep for a LOG01 - maybe I find some other input.conf's

0 Karma

Just to expand a bit on Simeon answer: in case #3 might it be that you had configured a "host=LOG01" line on the ubuntu server OUTSIDE the proper configuration stanza in inputs.conf? That might have overridden the standard settings present into $SPLUNK_HOME/etc/system/local/inputs.conf

0 Karma