I am not able to find the host field information for the events coming from a particular machine. This is related to a particular source type. Other logs from a different source type from the same machne has host field information.
Events are reaching splunk, but they are missing host field information.
Can someone help?
Hi @sambitmahantaes,
ok, i didn't understand that the problem is at search time and not at index time as I understood!
you should check at first the eval because probably this is the problem.
Then you should check if you have some event with host="gea05" or if it's a little different.
Thewn, I don't understand the token in the eval:
try to eliminate "$" from the eval statement:
EVAL-host = if ( host LIKE "gea%", case( host = "gea03", "gea03.n1data.lan", host="gea04", "gea04.n1data.lan", host="geadist", "geadist.n1data.lan", host="gea05", "gea05.n1data.lan"), host)
then probably you could simplify your eval statement:
EVAL-host=case(host="gea03","gea03.n1data.lan", host="gea04","gea04.n1data.lan", host="geadist","geadist.n1data.lan", host="gea05","gea05.n1data.lan")
Ciao.
Giuseppe
Hi @gcusello , Thanks for quick response .
Logs are from a forwader
In the inputs.conf, there is no static assignment of host. It looks like following
[monitor:///var/log/httpd/ssl_error_log]
index = index1
sourcetype = apache_error
disabled = 0
[monitor:///var/log/httpd/access_log]
index = index1
sourcetype = access_combined
disabled = 0
I am getting host information for ssl_error.log events, but don't get it for access.log.
The props.conf contains this
EVAL-host = if ( host LIKE "gea%", case( host = "gea03", "gea03.n1data.lan", host="gea04", "gea04.n1data.lan", host="geadist", "geadist.n1data.lan", host="gea05", "gea05.n1data.lan"), $host$)
The problem is only for the events from the machine gea05.n1data.lan
Could you be kind enough to look at this expression. I tried adding host value in inputs.conf but it did not help.
Hi @sambitmahantaes,
ok, i didn't understand that the problem is at search time and not at index time as I understood!
you should check at first the eval because probably this is the problem.
Then you should check if you have some event with host="gea05" or if it's a little different.
Thewn, I don't understand the token in the eval:
try to eliminate "$" from the eval statement:
EVAL-host = if ( host LIKE "gea%", case( host = "gea03", "gea03.n1data.lan", host="gea04", "gea04.n1data.lan", host="geadist", "geadist.n1data.lan", host="gea05", "gea05.n1data.lan"), host)
then probably you could simplify your eval statement:
EVAL-host=case(host="gea03","gea03.n1data.lan", host="gea04","gea04.n1data.lan", host="geadist","geadist.n1data.lan", host="gea05","gea05.n1data.lan")
Ciao.
Giuseppe
Hi @gcusello , The sourcetype definition was a problem. Removing the EVA-host definition solved the issue. Thank you for your response.
Hi @sambitmahantaes ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @sambitmahantaes,
let me understand: you have a transformation that assign the host value using a regex in props.conf and transforms.conf, is it correct?
if yes, you should control the regex in transforms.conf and anyway assign a fixed default value in inputs.conf, then your procedure will override the value based on the regex in transfoms.conf, but when it fails, you have the default assignmment.
Ciao.
Giuseppe
Hi @sambitmahantaes,
are you speaking of logs from a Forwarder or from other sources (syslogs, etc...)?
if from forwarder, see in inputs.conf if there's a static assigment of the host.
Ciao.
Giuseppe