Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Host field missing in events coming from a particular machine- How do I find host field information?

sambitmahantaes
Explorer
‎07-13-2022 05:40 AM

I am not able to find the host field information for the events coming from a particular machine.  This is related to a particular source type. Other logs from a different source type from the same machne has host field information.

Events are reaching splunk, but they are missing host field information.

Can someone help?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-13-2022 11:56 PM

Hi @sambitmahantaes,

ok, i didn't understand that the problem is at search time and not at index time as I understood!

you should check at first the eval because probably this is the problem.

Then you should check if you have some event with host="gea05" or if it's a little different.

Thewn, I don't understand the token in the eval:

try to eliminate "$" from the eval statement:

EVAL-host = if ( host LIKE "gea%", case( host = "gea03", "gea03.n1data.lan", host="gea04", "gea04.n1data.lan", host="geadist", "geadist.n1data.lan", host="gea05", "gea05.n1data.lan"), host)

then probably you could simplify your eval statement:

EVAL-host=case(host="gea03","gea03.n1data.lan", host="gea04","gea04.n1data.lan", host="geadist","geadist.n1data.lan", host="gea05","gea05.n1data.lan")

 Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

sambitmahantaes
Explorer
‎07-13-2022 06:17 AM

Hi @gcusello , Thanks for quick response .

Logs are from a forwader

In the inputs.conf, there is no static assignment of host. It looks like following

[monitor:///var/log/httpd/ssl_error_log]
index = index1
sourcetype = apache_error
disabled = 0

[monitor:///var/log/httpd/access_log]
index = index1
sourcetype = access_combined
disabled = 0

I am getting host information for ssl_error.log events, but don't get it for access.log.

0 Karma
Reply
Solved! Jump to solution

sambitmahantaes
Explorer
‎07-13-2022 07:02 AM

The props.conf contains this

EVAL-host = if ( host LIKE "gea%", case( host = "gea03", "gea03.n1data.lan", host="gea04", "gea04.n1data.lan", host="geadist", "geadist.n1data.lan", host="gea05", "gea05.n1data.lan"), $host$)

The problem is only for the events from the machine gea05.n1data.lan

Could you be kind enough to look at this expression.  I tried adding host value in inputs.conf but it did not help.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-13-2022 11:56 PM

Hi @sambitmahantaes,

ok, i didn't understand that the problem is at search time and not at index time as I understood!

you should check at first the eval because probably this is the problem.

Then you should check if you have some event with host="gea05" or if it's a little different.

Thewn, I don't understand the token in the eval:

try to eliminate "$" from the eval statement:

EVAL-host = if ( host LIKE "gea%", case( host = "gea03", "gea03.n1data.lan", host="gea04", "gea04.n1data.lan", host="geadist", "geadist.n1data.lan", host="gea05", "gea05.n1data.lan"), host)

then probably you could simplify your eval statement:

EVAL-host=case(host="gea03","gea03.n1data.lan", host="gea04","gea04.n1data.lan", host="geadist","geadist.n1data.lan", host="gea05","gea05.n1data.lan")

 Ciao.

Giuseppe

Reply
Solved! Jump to solution

sambitmahantaes
Explorer
‎07-18-2022 12:07 AM

Hi @gcusello , The sourcetype definition was a problem. Removing the EVA-host definition solved the issue. Thank you for your response.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-18-2022 12:33 AM

Hi @sambitmahantaes ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-13-2022 06:34 AM

Hi @sambitmahantaes,

let me understand: you have a transformation that assign the host value using a regex in props.conf and transforms.conf, is it correct?

if yes, you should control the regex in transforms.conf and anyway assign a fixed default value in inputs.conf, then your procedure will override the value based on the regex in transfoms.conf, but when it fails, you have the default assignmment.

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-13-2022 05:55 AM

Hi @sambitmahantaes,

are you speaking of logs from a Forwarder or from other sources (syslogs, etc...)?

if from forwarder, see in inputs.conf if there's a static assigment of the host.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...