Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get the Hosts list in Search to not show syslog words as hosts?

mikeely
Path Finder
‎08-12-2011 08:37 AM

I've set up two linux machines as forwarders, and suddenly I have a very large number of entries in the hosts field which appear to simply be distinct words in the various syslog files. The host adding the vast majority of the fake hosts is running OpenSuSE 11.4, but a RHEL box also created two host entries (one upper case and one lower case). The inputs.conf for both hosts couldn't be any simpler:

[monitor:///var/log]

disabled=false

followTail=1

sourcetype=syslog

Here's a screenshot of the problem so you can see what I mean. The blurred names are actual hosts: Too many hosts

Reply
1 Solution
Solved! Jump to solution
Solution

mikelanghorst
Motivator
‎08-12-2011 02:41 PM

I would recommend removing the "sourcetype=syslog" from your monitor stanza. Many logs under that path may not be syslog format. Telling it to treat all of these logs as a syslog file, which will extract the 4th field of the line to be the hostname.

Then if you have specific file sources, add them to props.conf entries and assign them to sourcetype=syslog.

View solution in original post

Reply
Solved! Jump to solution
Solution

mikelanghorst
Motivator
‎08-12-2011 02:41 PM

I would recommend removing the "sourcetype=syslog" from your monitor stanza. Many logs under that path may not be syslog format. Telling it to treat all of these logs as a syslog file, which will extract the 4th field of the line to be the hostname.

Then if you have specific file sources, add them to props.conf entries and assign them to sourcetype=syslog.

Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...