Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timezone being interpreted as hostname

coleman07
Path Finder
‎03-28-2012 08:39 PM

When looking at the data from the /var/log/dracut.log file, splunk is pulling out the timezone field of the date and time and calling it the host.

Tue Mar 27 09:15:04 MDT 2012 Info: Installing /usr/share/dracut/modules.d/99base/initqueue

1 » 3/27/12
9:15:23.000 AM Tue Mar 27 09:15:23 MDT 2012 Info: -rw-r--r--. 1 root root 15557959 Mar 27 09:15 /boot/initramfs-2.6.32-220.7.1.el6.x86_64.img host=MDT Options| sourcetype=syslog Options| source=/var/log/dracut.log Options

The host is not MDT. I see this in several log files. Two questions: 1) How do I fix this so splunk does not associate MDT as the Host and 2) there is no host in the line so can splunk assign a host to the data in this file?

What documentation do you recommend I read which would answer this question?

Thanks,

Sean Coleman

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎03-28-2012 10:25 PM

Splunk believes that this is a syslog-formatted log - I can tell because the sourcetype=syslog. In syslog, the host name follows the time stamp. You can do several things to correct this and to speed the processing of the file. (1) Give the file a different sourcetype. (2) Tell Splunk to find the timestamp in the first 30 characters of the event.

Find the inputs.conf file that is collecting this input. It might be the input that is collecting /var/log. Edit or create the configuration file props.conf in the same directory as the inputs.conf file

In props.conf, put

[source::/var/log/dracut.log]
sourcetype=mySourceType
MAX_TIMESTAMP_LOOKAHEAD=30

Where mySourceType is the name of the sourcetype (you can just make up a new name).

You might browse through the Getting Data In manual. There are several sections that would be useful:

Configuring Timestamps

Configure Sourcetypes

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...