Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timezone being interpreted as hostname

coleman07
Path Finder
‎03-28-2012 08:39 PM

When looking at the data from the /var/log/dracut.log file, splunk is pulling out the timezone field of the date and time and calling it the host.

Tue Mar 27 09:15:04 MDT 2012 Info: Installing /usr/share/dracut/modules.d/99base/initqueue

1 » 3/27/12
9:15:23.000 AM Tue Mar 27 09:15:23 MDT 2012 Info: -rw-r--r--. 1 root root 15557959 Mar 27 09:15 /boot/initramfs-2.6.32-220.7.1.el6.x86_64.img host=MDT Options| sourcetype=syslog Options| source=/var/log/dracut.log Options

The host is not MDT. I see this in several log files. Two questions: 1) How do I fix this so splunk does not associate MDT as the Host and 2) there is no host in the line so can splunk assign a host to the data in this file?

What documentation do you recommend I read which would answer this question?

Thanks,

Sean Coleman

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎03-28-2012 10:25 PM

Splunk believes that this is a syslog-formatted log - I can tell because the sourcetype=syslog. In syslog, the host name follows the time stamp. You can do several things to correct this and to speed the processing of the file. (1) Give the file a different sourcetype. (2) Tell Splunk to find the timestamp in the first 30 characters of the event.

Find the inputs.conf file that is collecting this input. It might be the input that is collecting /var/log. Edit or create the configuration file props.conf in the same directory as the inputs.conf file

In props.conf, put

[source::/var/log/dracut.log]
sourcetype=mySourceType
MAX_TIMESTAMP_LOOKAHEAD=30

Where mySourceType is the name of the sourcetype (you can just make up a new name).

You might browse through the Getting Data In manual. There are several sections that would be useful:

Configuring Timestamps

Configure Sourcetypes

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...