I realized the other day we are no longer seeing instances of $decideonstartup in the host field for some of our logs but we are seeing where some logs show up with a host name of "." I don't know if these are the same servers just with a newer agent version or what. At any rate I've been able to come up with a few ways to narrow down which servers these actually are but I'm in a very distributed environment where I don't have actual access to the servers. One thing I found interesting this morning is in the initial startup logs for an agent it does report the correct name value in what I suspect is the server.conf file and somewhere else BUT the host field is still showing "."

My questions then are

1. Any idea which files to update to fix this? I suspect $SPLUNK_HOME/etc/system/local/inputs.conf

2. Any idea why this is showing up like it is?

3. Sure would be interested in figuring out a way to correct the issue via my Splunk deployment server

Example logs

3/12/14
4:39:46.190 PM 03-12-2014 16:39:46.190 -0400 INFO ServerConfig - My hostname is "wuzzle".

host = . source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd

3/12/14 4:39:46.190 PM 03-12-2014 16:39:46.190 -0400 INFO ServerConfig - My server name is "wuzzle".

host = . source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd