Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timezone being interpreted as hostname

coleman07
Path Finder
‎03-28-2012 08:39 PM

When looking at the data from the /var/log/dracut.log file, splunk is pulling out the timezone field of the date and time and calling it the host.

Tue Mar 27 09:15:04 MDT 2012 Info: Installing /usr/share/dracut/modules.d/99base/initqueue

1 » 3/27/12
9:15:23.000 AM Tue Mar 27 09:15:23 MDT 2012 Info: -rw-r--r--. 1 root root 15557959 Mar 27 09:15 /boot/initramfs-2.6.32-220.7.1.el6.x86_64.img host=MDT Options| sourcetype=syslog Options| source=/var/log/dracut.log Options

The host is not MDT. I see this in several log files. Two questions: 1) How do I fix this so splunk does not associate MDT as the Host and 2) there is no host in the line so can splunk assign a host to the data in this file?

What documentation do you recommend I read which would answer this question?

Thanks,

Sean Coleman

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎03-28-2012 10:25 PM

Splunk believes that this is a syslog-formatted log - I can tell because the sourcetype=syslog. In syslog, the host name follows the time stamp. You can do several things to correct this and to speed the processing of the file. (1) Give the file a different sourcetype. (2) Tell Splunk to find the timestamp in the first 30 characters of the event.

Find the inputs.conf file that is collecting this input. It might be the input that is collecting /var/log. Edit or create the configuration file props.conf in the same directory as the inputs.conf file

In props.conf, put

[source::/var/log/dracut.log]
sourcetype=mySourceType
MAX_TIMESTAMP_LOOKAHEAD=30

Where mySourceType is the name of the sourcetype (you can just make up a new name).

You might browse through the Getting Data In manual. There are several sections that would be useful:

Configuring Timestamps

Configure Sourcetypes

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...