hi Paolo - hi Simeon - thanks a lot for your help.
I edited my "$SPLUNK_HOME/etc/system/local/inputs.conf" and deleted the entry "host = LOG01" under "[default]" - just as you suspected .. I restarted splunk - but the logs are still all showing up under LOG01.
Physically the all my logs are on LOG01 - collected and rotated by Sysklogd - the default Ubuntu Syslogger. So Splunk just forgot how to idetifiy the true source.
I am not really sure what to look for. I not familiar with the term "stanza" - I will grep for a LOG01 - maybe I find some other input.conf's
... View more
I installed Splunk 4.1 on a Ubuntu 10.4 system - nice and easy. I configured it to index ~ 7 files from the local /var/log/ path - splunk started to index - perfectly.
After I was experimenting with a second splunk server to send Windows Logs as a forwarder (I configured sending and receiving on tcp 9997) my Splunk server seemed stopped to index my files in /var/log. The counters stopped going up - only Messages from "Host=LOG01" (my server) seemed to update. Looking closer I discovered that all Logs formerly correctly identified as coming form different sources - presented nicely on my Search/Summary start page were stale and turning up under the LOG01 host - which is now displayed as the source of all log messages.
How to get the "source recognition" going again - so h´that my Logs are indexed with the correct source again
(you might guess that I am rather new to splunk)
PS: another thing I did was switching from Enterprise to Free License ... but the Host correlation seemed to got lost before that ...
... View more