topic Re: Windows Universal forwarder shows 2 host names for the same server in Getting Data In

Windows Universal forwarder shows 2 host names for the same server

neerajshah81 — Thu, 12 Jul 2018 19:16:03 GMT

Hello, We have a single instance splunk deployment. I have installed Universal Forwarder on an Win 2012 R2 Active Directory DC. Upon checking / searching for the events in Splunk Search UI, i noticed it shows 2 different host names for the same DC server. Screenshot below. How to resolve this ? If i click on the 1st host "LAN-AD', it shows events related to CPU, Memory monitoring whereas if i click on the other one, this shows events related to Security Events, Application Event log etc.

Re: Windows Universal forwarder shows 2 host names for the same server

pradeepkumarg — Thu, 12 Jul 2018 19:48:13 GMT

https://answers.splunk.com/answers/642834/why-are-there-multiple-host-entries-for-every-splu.html#answer-642944

Re: Windows Universal forwarder shows 2 host names for the same server

neerajshah81 — Fri, 13 Jul 2018 14:35:29 GMT

Hi, i followed that link but don't see the solution mentioned. I have checked my server.conf and inputs.conf file on my Universal Forwarder. Both do not have any [servername] attribute defined. Where is the UF getting the 2 server names from ?

Re: Windows Universal forwarder shows 2 host names for the same server

ddrillic — Fri, 13 Jul 2018 16:14:13 GMT

Interesting - what does $SPLUNK_HOME/etc/system/local/inputs.conf say on the forwarder? It should have the following -

[default]
host = <host_name>

Re: Windows Universal forwarder shows 2 host names for the same server

pradeepkumarg — Mon, 16 Jul 2018 17:09:57 GMT

Check the other answer.. I've copy pasted below.

I've seen this usually with syslog (/var/log/syslog)

Syslog is a pre trained sourcetype and extracts the host from within the log itself and if the log has the hostname without FQDN, you see that.

Check the sourcetypes for each of those host entry |tstats count WHERE host=test* by host,sourcetype | stats values(sourcetype) by host

You will see your problematic sourcetype that is causing the host value without FQDN.

Re: Windows Universal forwarder shows 2 host names for the same server

neerajshah81 — Tue, 17 Jul 2018 16:02:03 GMT

Thank you Ddrillic. Earlier I was looking at a different inputs.conf ( in a different folder).

Re: Windows Universal forwarder shows 2 host names for the same server

neerajshah81 — Tue, 17 Jul 2018 16:03:04 GMT

Hi Pradeep, Thanks. Earlier I was looking at a different inputs.conf ( in a different folder) and so the confusion. After correcting the "correct" inputs.conf , i am all set.