Hello -
I installed Splunk 4.1 on a Ubuntu 10.4 system - nice and easy. I configured it to index ~ 7 files from the local /var/log/ path - splunk started to index - perfectly.
After I was experimenting with a second splunk server to send Windows Logs as a forwarder (I configured sending and receiving on tcp 9997) my Splunk server seemed stopped to index my files in /var/log. The counters stopped going up - only Messages from "Host=LOG01" (my server) seemed to update. Looking closer I discovered that all Logs formerly correctly identified as coming form different sources - presented nicely on my Search/Summary start page were stale and turning up under the LOG01 host - which is now displayed as the source of all log messages.
How to get the "source recognition" going again - so h´that my Logs are indexed with the correct source again
(you might guess that I am rather new to splunk)
Kindest Regards
Robert
PS: another thing I did was switching from Enterprise to Free License ... but the Host correlation seemed to got lost before that ...
... View more