Re: File Monitor Not Assigning the right host name

hartfoml · ‎03-11-2014

Here is a portion of my inputs.conf

[monitor:///mnt/log/192.168.100.200/messages]

disabled = false

followTail = 0

host =

host_segment = 3

index = num1

[monitor:///mnt/log/192.168.100.300/messages]

disabled = false

followTail = 0

host = MyFileServer1.local

index = num2

[monitor:///mnt/log/192.168.100.400/messages]

disabled = false

followTail = 0

host = MyFileServer2.local

index = num2

As you can see the first one is using host_segment = 3 to assign a host name based on the monitor path.

The second two use a “Constant Value” to assign the host name

After I put in there values all three are using the segment = 3 to assign the hostname to the logs

I deleted the entries and put them back in as you see above and still the host name for the last two are using the IP as the host name.

What can I do to change this?

gkanapathy · ‎03-11-2014

Is it possible that your files are syslog style, and Splunk is seeing this and extracting and overwriting the host from the contents of the file?

hartfoml · ‎03-11-2014

I suppose this is possible, you would know better than I. In any case I did explicitly call for the host name in the inputs.conf and there should not be any automated feature that over rides my explicit input.

How would I fix the automated override of syslog data?

Should I set the sourcetype to SYSLOG rather than automatic?

File Monitor Not Assigning the right host name

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?