Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timezone being interpreted as hostname

coleman07
Path Finder
‎03-28-2012 08:39 PM

When looking at the data from the /var/log/dracut.log file, splunk is pulling out the timezone field of the date and time and calling it the host.

Tue Mar 27 09:15:04 MDT 2012 Info: Installing /usr/share/dracut/modules.d/99base/initqueue

1 » 3/27/12
9:15:23.000 AM Tue Mar 27 09:15:23 MDT 2012 Info: -rw-r--r--. 1 root root 15557959 Mar 27 09:15 /boot/initramfs-2.6.32-220.7.1.el6.x86_64.img host=MDT Options| sourcetype=syslog Options| source=/var/log/dracut.log Options

The host is not MDT. I see this in several log files. Two questions: 1) How do I fix this so splunk does not associate MDT as the Host and 2) there is no host in the line so can splunk assign a host to the data in this file?

What documentation do you recommend I read which would answer this question?

Thanks,

Sean Coleman

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎03-28-2012 10:25 PM

Splunk believes that this is a syslog-formatted log - I can tell because the sourcetype=syslog. In syslog, the host name follows the time stamp. You can do several things to correct this and to speed the processing of the file. (1) Give the file a different sourcetype. (2) Tell Splunk to find the timestamp in the first 30 characters of the event.

Find the inputs.conf file that is collecting this input. It might be the input that is collecting /var/log. Edit or create the configuration file props.conf in the same directory as the inputs.conf file

In props.conf, put

[source::/var/log/dracut.log]
sourcetype=mySourceType
MAX_TIMESTAMP_LOOKAHEAD=30

Where mySourceType is the name of the sourcetype (you can just make up a new name).

You might browse through the Getting Data In manual. There are several sections that would be useful:

Configuring Timestamps

Configure Sourcetypes

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...