I have configured a Splunk HF with the following inputs.conf stanzas (details changed) for two new device logs. Note the explicit host setting for each:
[monitor:///path/splunklogs/10.10.1.1/*.log] disabled = false host = myhost10 sourcetype = syslog index = my_index
[monitor:///path/splunklogs/10.20.1.1/*.log] disabled = false host = myhost20 sourcetype = syslog index = my_index
I created the index at the same time, so to validate its working I simply ran a search "index=my_index" (knowing there will be nothing else there). But surprisingly, the search returns events from three hosts instead of two!
The first device looks okay, but for the second one (ie. the second inputs stanza), some of the events are showing the wrong host value. It seems to be picking up a host value embedded in the event, but I don't see how. And I thought the inputs 'host' setting would override that anyway.
So, from the below example, the host SHOULD be set to 'myhost20' from the inputs stanza, but instead is showing as host 'xyz000000001234'.
Can anyone explain how that could be happening, and so, how to prevent it?
Sample event, with the standard fields below it:
2023-06-08T14:38:51+10:00 Sev=notice Facility=user Hostname=<loadbalancer> Header="Client " Message="Client IP: 10.20.1.1 | <109>Jun 8 14:40:11 xyz000000001234 some_field -: AUDIT [dvc="10.20.1.1" dvchost="10.20.1.1" version="7.7" user="<user>" role="" source="10.1.2.3" type="user_action" outcome="success" message="2023-06-08T14:40:11+10:00 abc120000001111 sshd\[2876138\]: Accepted keyboard-interactive/pam for device from 10.1.2.3 port 12345 ssh2"]"
host = xyz000000001234 index = my_index source = /path/splunklogs/10.20.1.1/10.20.1.1-08-06-2023:14.log sourcetype = syslog
Thanks for any response.
R.
... View more