Getting Data In

Why is Host "localhost" when inputs.conf set-up to use custom name?

tbertran
New Member

Hi all,

I'm using a straight forward splunk install (no forwarder, no external input source) on my server. Below is an extract from my inputs.conf:

[monitor:///private/var/log]

disabled = false

followTail = 1

host = MyHostName

ignoreOlderThan = 30d

blacklist = (.bz2$|krb5kdc|appfirewall.log)

index = logs

crcSalt = <SOURCE>

Most of the events from this file show up correctly under the MyHostName host but a small portion shows up under localhost like this one:

May 1 14:34:34 localhost configd[14]: network configuration changed.

This is presumably happening because the word localhost appears in the event but I don't care what word appears in the event, I don't want the host name to be anything other than what I set in inputs.conf.

I'm hoping it can be solved without resorting to the transforms.conf, which feels like overkill for this simple issue.

Thanks for the help.

Tags (2)
0 Karma

southeringtonp
Motivator

If most of your events are showing the correct host=MyHostName, then it sounds like you're already using transforms.conf to override a subset of the events. Splunk does this out-of-the-box for [syslog] and a few other sourcetypes, but you can disable it.

Check the sourcetypes of the incorrect events - they're probably all showing up as syslog or similar.

Try adding the following in props.conf:

[source::/private/var/log/*]
TRANSFORMS=
TRANSFORMS-host=

You may only need one of the two TRANSFORMS= lines above - most of the default host override use TRANSFORMS, but if you're running postfix, you'll also need to reset TRANSFORMS-host.

Edit:

There are two possible reasons why some events would show localhost and some MyHostName...

  1. Your raw syslog data contains localhost for some events, and MyHostName for others. Splunk is extracting the value it sees.

  2. Transform-based host assignment uses a regular expression to pull out the new value of hostname. If the regex doesn't match, it will fall back to using the value you set in the .conf files.

For more information on how overriding of the hostname works, take a look at:

    
http://www.splunk.com/base/Documentation/4.2/Data/overridedefaulthostassignments.

To see the default transforms used for syslog events, look in the following two files:

    $SPLUNK_HOME/etc/system/default/transforms.conf

    $SPLUNK_HOME/etc/system/default/props.conf

southeringtonp
Motivator

See edits above. It doesn't matter that you didn't set up a transform -- there's one in effect by default. The above instructions will turn it off. Field extraction based on the transform will take precedence over the value you set in inputs.conf. As for the ones that look right, either the transform isn't matching those events, or it's acutally overriding it, but with the same value.

0 Karma

tbertran
New Member

Hi, thanks for your help. I'm only talking about the one file /private/var/log whose sourcetype is syslog. To clarify, most events for that one source will show a host name of MyHostName (because of my hardcoding the host in inputs.conf) and some events will show localhost as a hostname. I don't see why those events do not have a hostname of MyHostName.

0 Karma

southeringtonp
Motivator

To clarify - please edit your question and say what the sourcetypes are for your incorrect data. Splunk has default transforms.conf entries for syslog events that will be in effect unless you have explicitly turned them off (see $SPLUNK_HOME/etc/system/default/transforms.conf)

0 Karma

tbertran
New Member

Thanks for your response. No, I'm not using transforms.conf, the host name is set in inputs.conf as shown in my original post and it mostly works but I can't explain why it doesn't always work.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...