Re: Why is Host "localhost" when inputs.conf set-u...

tbertran · ‎05-01-2011

Hi all,

I'm using a straight forward splunk install (no forwarder, no external input source) on my server. Below is an extract from my inputs.conf:

[monitor:///private/var/log] disabled = false followTail = 1 host = MyHostName ignoreOlderThan = 30d blacklist = (.bz2$|krb5kdc|appfirewall.log) index = logs crcSalt = <SOURCE>

Most of the events from this file show up correctly under the MyHostName host but a small portion shows up under localhost like this one:

May 1 14:34:34 localhost configd[14]: network configuration changed.

This is presumably happening because the word localhost appears in the event but I don't care what word appears in the event, I don't want the host name to be anything other than what I set in inputs.conf.

I'm hoping it can be solved without resorting to the transforms.conf, which feels like overkill for this simple issue.

Thanks for the help.

southeringtonp · ‎05-03-2011

If most of your events are showing the correct host=MyHostName, then it sounds like you're already using transforms.conf to override a subset of the events. Splunk does this out-of-the-box for [syslog] and a few other sourcetypes, but you can disable it.

Check the sourcetypes of the incorrect events - they're probably all showing up as syslog or similar.

Try adding the following in props.conf:

[source::/private/var/log/*]
TRANSFORMS=
TRANSFORMS-host=

You may only need one of the two TRANSFORMS= lines above - most of the default host override use TRANSFORMS, but if you're running postfix, you'll also need to reset TRANSFORMS-host.

Edit:

There are two possible reasons why some events would show localhost and some MyHostName...

Your raw syslog data contains localhost for some events, and MyHostName for others. Splunk is extracting the value it sees.
Transform-based host assignment uses a regular expression to pull out the new value of hostname. If the regex doesn't match, it will fall back to using the value you set in the .conf files.

For more information on how overriding of the hostname works, take a look at:

http://www.splunk.com/base/Documentation/4.2/Data/overridedefaulthostassignments.

To see the default transforms used for syslog events, look in the following two files:

$SPLUNK_HOME/etc/system/default/transforms.conf

$SPLUNK_HOME/etc/system/default/props.conf

southeringtonp · ‎05-09-2011

See edits above. It doesn't matter that you didn't set up a transform -- there's one in effect by default. The above instructions will turn it off. Field extraction based on the transform will take precedence over the value you set in inputs.conf. As for the ones that look right, either the transform isn't matching those events, or it's acutally overriding it, but with the same value.

tbertran · ‎05-08-2011

Hi, thanks for your help. I'm only talking about the one file /private/var/log whose sourcetype is syslog. To clarify, most events for that one source will show a host name of MyHostName (because of my hardcoding the host in inputs.conf) and some events will show localhost as a hostname. I don't see why those events do not have a hostname of MyHostName.

southeringtonp · ‎05-03-2011

To clarify - please edit your question and say what the sourcetypes are for your incorrect data. Splunk has default transforms.conf entries for syslog events that will be in effect unless you have explicitly turned them off (see $SPLUNK_HOME/etc/system/default/transforms.conf)

tbertran · ‎05-03-2011

Thanks for your response. No, I'm not using transforms.conf, the host name is set in inputs.conf as shown in my original post and it mostly works but I can't explain why it doesn't always work.

Why is Host "localhost" when inputs.conf set-up to use custom name?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases