Recently we reconfigured our remote syslog clients to deliver their logs over source:tcp-ssl instead of source:tcp.
Since then the events are not assigned the configured hostname anymore.
Instead, the host field contains the source ip address of the originating client.
inputs.conf @ indexer:
$ /splunk/bin/splunk btool inputs list tcp-ssl://10.11.12.13:1514 --debug
/data/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/data/splunk/etc/apps/IA-xml/local/inputs.conf host = hostname-xy
/data/splunk/etc/apps/IA-xml/local/inputs.conf index = xml-p
/data/splunk/etc/apps/IA-xml/local/inputs.conf sourcetype = xml
The fields 'index' and 'sourcetype' are assigned correctly. Only the field 'host' does not seem to catch.
It would be quite ugly to override the host field at index time with transforms.
Any ideas or experiences with this issue?
Thanks a lot & best regards
... View more