Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

/var/log/messages associated with index host NOT the correct source host

krussell101
Path Finder
‎01-17-2013 02:26 PM

I have two dozen UF linux systems. All of them are picking up /var/log/messages and sending it to my indexer (the one and only "splunk" host).

All of the /var/log/messages entries are indexed as coming from host=splunk.

WHY?

HELP!

Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BryanBerry
Path Finder
‎02-04-2013 05:11 PM

Have any stray props.conf/transforms.conf on the indexer? Is this all of your forwarders or only some of them?

Try "splunk btool transforms list --debug > out.txt" on your indexer and grep for MetaData:Host in out.txt. It possible that there's a transform setting the host value to splunk

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

BryanBerry
Path Finder
‎02-04-2013 05:11 PM

Have any stray props.conf/transforms.conf on the indexer? Is this all of your forwarders or only some of them?

Try "splunk btool transforms list --debug > out.txt" on your indexer and grep for MetaData:Host in out.txt. It possible that there's a transform setting the host value to splunk

0 Karma
Reply
Solved! Jump to solution

BryanBerry
Path Finder
‎02-05-2013 02:13 PM

Huh, that is very odd. Was that in etc/system/local/transforms.conf or default? Did you find how that got in there? I'm curious about the cause as well.

0 Karma
Reply
Solved! Jump to solution

krussell101
Path Finder
‎02-05-2013 04:14 AM

FOUND IT! THANK YOU!

0 Karma
Reply
Solved! Jump to solution

krussell101
Path Finder
‎02-05-2013 04:12 AM

Any hints on where this may have snuck in? I don't recall doing any transforms at all. Will this be on my forwarders somewhere or on the indexer?

Thanks again.

0 Karma
Reply
Solved! Jump to solution

krussell101
Path Finder
‎02-05-2013 04:11 AM

This is occurring to /var/log/messages from all of my forwarders.

transforms list output:

system [syslog-host]
system CAN_OPTIMIZE = True
system CLEAN_KEYS = True
system DEFAULT_VALUE =
system DEST_KEY = MetaData:Host
system FORMAT = host::splunk-mydomain.com

Is this taking everything of sourcetype syslog and attributing it to another host?

Cool! So now I have to unset that somehow. Thanks!

0 Karma
Reply
Solved! Jump to solution

krussell101
Path Finder
‎02-04-2013 03:48 PM

This isn't an answer

0 Karma
Reply
Solved! Jump to solution

krussell101
Path Finder
‎01-22-2013 06:05 AM

No. they pick up the local hostname. Which is how I want it to behave. All other files in /var/log come over with the correct hostname. This is the only file which is attributed to the incorrect host.

0 Karma
Reply
Solved! Jump to solution

Lucas_K
Motivator
‎01-20-2013 03:50 PM

Is there a hostname defined on your UF's in /opt/splunkforwarder/etc/system/local/inputs.conf?

Reply
Solved! Jump to solution

krussell101
Path Finder
‎01-18-2013 12:54 PM

sourcetype = syslog

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎01-17-2013 02:49 PM

What sourcetype do you have for /var/log/messages?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...