All Apps and Add-ons

Splunk Add-on for Unix and Linux: Splunk ignoring host entry in inputs.conf. How do I fix this configuration?

wweiland
Contributor

I have a system that has a different system name from the desired name in the etc/system/local/inputs.conf. I'm using Splunk_TA_nix to pull the system logs. I believe the props/transforms is changing the host to reflect the host in the logs. I only need this 1 system to to use the host in the Splunk configuration. All other systems will have matching names and the TA will be fine. Is there anything that I can put in the default config (outside the app) that will prevent this behavior?

0 Karma

ryanoconnor
Builder

Yes you should be able to apply a props.conf stanza to a host so that only that one system is affected. Can you please show us the configuration you're working with currently? Specifically what does your inputs.conf look like and the props.conf/transforms.conf you're mentioning that you believe is changing the hostname.

0 Karma

wweiland
Contributor

The inputs.conf is just the standard

[default]
host = thedesiredhostname

The props is the standard from TA_nix

[linux_secure]

Event extractions by type

REPORT-0authentication_for_linux_secure = ssh-login-events, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-account_management_for_linux_secure = useradd, userdel
REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
REPORT-routing = iptables
EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
REPORT-signature_for_linux_secure_timesync = signature_for_nix_timesync

REPORT-dest_for_linux_secure = host_as_dest
LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-pid-process_for_linux_secure = syslog-extractions
REPORT-src_for_linux_secure = src_dns_as_src, src_ip_as_src, host_as_src

0 Karma

wweiland
Contributor

I'm not sure which one overwrites the host field. I could post the transforms, but it is quite lengthy.

0 Karma

woodcock
Esteemed Legend

show us your configurations.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...