wrong host

vinchakov_a · ‎05-15-2014

Hello, please help me. I through splunkforwarder try to load a look log:

May 16 03:36:57 corosync [CMAN  ] daemon: sending reply 40000005 to fd 32
May 16 03:36:57 corosync [CMAN  ] daemon: read 20 bytes from fd 32
May 16 03:36:57 corosync [CMAN  ] daemon: client command is 7
May 16 03:36:57 corosync [CMAN  ] daemon: About to process command
May 16 03:36:57 corosync [CMAN  ] memb: command to process is 7
May 16 03:36:57 corosync [CMAN  ] memb: get_all_members: retlen = 880

And splunk changes host name for corosync how to bypass it?

vinchakov_a · ‎05-16-2014

yes, I use syslog sourcetype

splunker12er · ‎05-15-2014

Goto the path -

etc\system\local

Edit the below files :

server.conf

[general]
serverName = 10.x.x.x

inputs.conf

[default]
host = 10.x.x.x

After making the changes restart the splunkforwarder service.
If you early forwarded logs to indexer , delete the indexed data for the specific host.
or check for recent changes

vinchakov_a · ‎05-16-2014

and was, the problem was in sourcetype. thnx

emechler_splunk · ‎05-15-2014

What sourcetype are you assigning? There are built-in sourcetypes (e.g. syslog) that could be overriding the host based on the message content.

linu1988 · ‎05-15-2014

try with you monitor stanza. If the data is already indexed it will not help you anymore. You have to delete the index and re-index the files after clearing the fish bucket at forwarder end.

vinchakov_a · ‎05-15-2014

I tryed^

[default]
host = myname

It not help.

linu1988 · ‎05-15-2014

mention host name for the input in the splunkforwarder.

wrong host

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!