Blank or null hostname (host="")How do I find the ...

jcarpio9 · ‎10-09-2013

I have a server forwarding events to splunk that must be configured incorrectly. It's hostname is blank and can be found while using this search string

host=""

How can I use splunk to determine the origin (IP or real hostname) of the forwarding server to correct its blank hostname?

lukejadamec · ‎10-09-2013

Try this for a windows computer:

index=main ComputerName="*" | fillnull value=NoHostName host | dedup ComputerName | table ComputerName,host

And, look in the table for a ComputerName with NoHostName.

For a unix host, if you're collecting interface information, then this should work for finding the interface IP.

index=os | search sourcetype="interfaces" |rex field=_raw (?msi).*\s(?<interfaceIP>\d+\.\d+\.\d+\.\d+) |dedup interfaceIP | fillnull value=NoHostName host |table interfaceIP,host

jcarpio9 · ‎10-14-2013

Hmm, it's definitely a Windows box (I see perfmon stats) but the first query didn't return a hit. I'll keep digging.

kristian_kolb · ‎10-09-2013

Clever indeed.

kphillipson · ‎10-09-2013

If I understand your question, you are referring to the forward server's own files not showing a host name when they are indexed at the indexer.

Look under .../splunk/etc/system/local at the inputs.conf file on the forwarder. You should see something like this:
[default]
host = servername

If the forward server is forwarding logs from other hosts (ie: syslog-ng) then you can define where the hostname is pulled from in the inputs.conf file.

Blank or null hostname (host="")How do I find the server?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!