Hi,
I have a forwarder sending a syslog file to the receiver. The syslog has entries like:
Jul 27 09:50:21 ip-10-196-173-139 postfix .....
And I don't want the "ip-10-196-173-139" to show up as the "host" on the receiver when doing searches. So I edited the "inputs.conf" like this:
[default]
host = abc.mydomain.com
[monitor:///var/log/syslog]
disabled = false
host = abc.mydomain.com
I did this in a bunch of places since nothing seemed to work:
/opt/splunk/etc/system/local/inputs.conf
/opt/splunk/etc/apps/search/local/inputs.conf
/opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf
I also tried restarting Splunk (both on forwarder and receiver). But I'm still seeing
the "ip-10-196-173-139" as the host on the receiver side when doing searches.
This is driving me crazy. Can anyone help?
Thanks!
Sunny
... View more