I have a system that has a different system name from the desired name in the etc/system/local/inputs.conf. I'm using Splunk_TA_nix to pull the system logs. I believe the props/transforms is changing the host to reflect the host in the logs. I only need this 1 system to to use the host in the Splunk configuration. All other systems will have matching names and the TA will be fine. Is there anything that I can put in the default config (outside the app) that will prevent this behavior?
Yes you should be able to apply a props.conf stanza to a host so that only that one system is affected. Can you please show us the configuration you're working with currently? Specifically what does your inputs.conf look like and the props.conf/transforms.conf you're mentioning that you believe is changing the hostname.
The inputs.conf is just the standard
[default]
host = thedesiredhostname
The props is the standard from TA_nix
[linux_secure]
REPORT-0authentication_for_linux_secure = ssh-login-events, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-account_management_for_linux_secure = useradd, userdel
REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
REPORT-routing = iptables
EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
REPORT-signature_for_linux_secure_timesync = signature_for_nix_timesync
REPORT-dest_for_linux_secure = host_as_dest
LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-pid-process_for_linux_secure = syslog-extractions
REPORT-src_for_linux_secure = src_dns_as_src, src_ip_as_src, host_as_src
I'm not sure which one overwrites the host field. I could post the transforms, but it is quite lengthy.
show us your configurations.