Hi all,
I'm using a straight forward splunk install (no forwarder, no external input source) on my server. Below is an extract from my inputs.conf :
[monitor:///private/var/log]
disabled = false
followTail = 1
host = MyHostName
ignoreOlderThan = 30d
blacklist = (.bz2$|krb5kdc|appfirewall.log)
index = logs
crcSalt = <SOURCE>
Most of the events from this file show up correctly under the MyHostName host but a small portion shows up under localhost like this one:
May 1 14:34:34 localhost configd[14]: network configuration changed.
This is presumably happening because the word localhost appears in the event but I don't care what word appears in the event, I don't want the host name to be anything other than what I set in inputs.conf .
I'm hoping it can be solved without resorting to the transforms.conf , which feels like overkill for this simple issue.
Thanks for the help.
... View more