|
I have a few windows machines Light Forwarding in to a central indexer, sending just WinEventLogs for now. For most hosts, its events' ComputerName is the same as the host field. For a couple, it's not. It's causing confusion as server A, which shows up at ComputerName A in its events, comes through with a host field of B, the name of a different existing server not currently running a Splunk forwarder. Where does Splunk on Windows get its host: field from, and can it be explicitly be overridden? |
|
The Host field in events coming from Windows Event Logs is set by the value in "ComputerName" field. To overwrite this, set the value of the Host field in etc\apps\windows\local\inputs.conf You can set it globally under the [default] stanza, or you can set it individually for each Event Log channel: 1
A Splunk server (including a forwarder) will always have the default "host" value set in
(14 Jul '10, 22:04)
gkanapathy ♦
If logs are collected via WMI (not likely in the case of LWF), the host will be set to the value of the ComputerName field.
(14 Jul '10, 22:04)
gkanapathy ♦
|
|
I've been affected by and tracking this issue for more than a year. There doesn't seem to be any good answer (this isn't one either I'm afraid), and windows hosts seem to return an essentially random host value based on the computer name somehow :-). Certainly submit an Enhancement Request (P4 bug) if not a higher priority bug so Splunk can track requests for this. I have seen these issues at many clients.
(24 May '12, 07:22)
Jason
|
can you show us your monitor stanzas in inputs.conf?
Not currently, due to other things happening on the server right now. Probably later.
Would this be affected by inputs.conf? This had the same splunk install package installed on it as other servers which are correctly reporting their ComputerName as host.
Yes, inputs.conf can and will affect it. See Ledio's post below. I cant tell why it switches from one host to another though.. You are not grabbing event logs from CPNameB through WMI or anything else, are you?