The servers sending data via syslog aren't resolving their host name....I edited my inputs.conf file in local dir as suggested. when i do search on splunk by sourcetype=syslog; i see bunch of ip address for host. please kindly offer some advise what am i doing wrong.
[udp://514]
disabled = false
connection_host = dns
Thanks,
Soni
By default, for sourcetype=syslog, the host field will be extracted by regex from the event itself, which overwrites the host from the connection (that's set by this connection_host directive).
The easiest way to defeat this behavior is to choose a sourcetype other than syslog.