I have a server forwarding events to splunk that must be configured incorrectly. It's hostname is blank and can be found while using this search string
host=""
How can I use splunk to determine the origin (IP or real hostname) of the forwarding server to correct its blank hostname?
Try this for a windows computer:
index=main ComputerName="*" | fillnull value=NoHostName host | dedup ComputerName | table ComputerName,host
And, look in the table for a ComputerName with NoHostName.
For a unix host, if you're collecting interface information, then this should work for finding the interface IP.
index=os | search sourcetype="interfaces" |rex field=_raw (?msi).*\s(?<interfaceIP>\d+\.\d+\.\d+\.\d+) |dedup interfaceIP | fillnull value=NoHostName host |table interfaceIP,host
Hmm, it's definitely a Windows box (I see perfmon stats) but the first query didn't return a hit. I'll keep digging.
Clever indeed.
If I understand your question, you are referring to the forward server's own files not showing a host name when they are indexed at the indexer.
Look under .../splunk/etc/system/local at the inputs.conf file on the forwarder. You should see something like this:
[default]
host = servername
If the forward server is forwarding logs from other hosts (ie: syslog-ng) then you can define where the hostname is pulled from in the inputs.conf file.