topic Re: splunk search and changed domaincontroller name in Splunk Search

splunk search and changed domaincontroller name

ESIMatNeforce — Mon, 28 Sep 2020 14:59:57 GMT

Hello,
I have recently changed the computername of my Domaincontroller. When I make a splunk search with "failed password" I get the logs with some attributes of the old hostname and some of the new one:

dest_nt_host W2012R2SrvDC.splunktest.local

dvc WIN-2LUN2OJR0JR

dvc_nt_host WIN-2LUN2OJR0JR

host WIN-2LUN2OJR0JR

The new computername is W2012R2SrvDC. Why does Splunk still has the old computername in the found logs? (the logs are newly created) and how can I fix this issue?

Re: splunk search and changed domaincontroller name

sdaniels — Thu, 17 Oct 2013 13:22:18 GMT

Sounds like on the initial setup of this host you have a constant value for the host field value in the Splunk configuration and you just need to change that.

In the inputs.conf do you have an entry assigning the hostname like this?

[monitor:///whatever/log1]
host = abc.mydomain.com

Re: splunk search and changed domaincontroller name

ESIMatNeforce — Fri, 18 Oct 2013 11:06:00 GMT

thanks, but thats not a solution to my problem
i have searched all config files on my splunk system, but there is nowhere a hardcoded "WIN-2LUN2OJR0JR" in it