Splunk Search

Host Field is Using the Old Hostname

ibraheem
Explorer

Hi,

I'm facing an issue with 5 hosts, recently we change the hostname of these machines but it is not reflected in the host field, in the host field the old hostname is shown.

Below is a sample log:

"LogName=Security

EventCode=4673

EventType=0

ComputerName=A0310PMTHYCJH15.tnjhs.com.pk

host = A0310PMNIAMT05    source = WinEventLog:Security     sourcetype = WinEventLog "

We are receiving logs from these windows hosts through UF and I checked the apps deployed in these hosts and checked the inputs.conf, hostname field is not defined.

The new hostname is shown in the logs in the field ComputerName.

Any suggestions to this problem would be appreciated.

Labels (1)
0 Karma

ibraheem
Explorer

Logs are landing directly from UF to indexers

0 Karma

ibraheem
Explorer

In the newly ingested events, the old hostname is used in the host field, the new hostname is shown in the ComputerName field

0 Karma

PickleRick
SplunkTrust
SplunkTrust

That is indeed strange. Do you have TA_windows installed on your receiving end?

0 Karma

ibraheem
Explorer

Yes, we have TA_windows installed. I've checked this add-on for hostname/host field in inputs.conf, but this field does not exist

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Are you sending directly from your UF to indexer(s)? Or do you have a HF somewhere in the middle?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Are you talking about the old events or the newly ingested ones?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...