i'm assuming the data is syslog directly to a Splunk UDP port, and it's because by default we don't resolve IP addresses on a UDP port any more. connection_host
in inputs.conf
will reset it though.
Are you using an udp input?
Try adding connection_host = dns
to your UDP input stanza.
See the following post: Lookups - using them to replace the host field
i'm assuming the data is syslog directly to a Splunk UDP port, and it's because by default we don't resolve IP addresses on a UDP port any more. connection_host
in inputs.conf
will reset it though.
Yes, thank you for the answer!