Hi, I have archived Splunk indexed data through "NFS mount point" and transferred it on client server.
I copied in thawed bucket and rebuild data in new index on client server but the host its showing is of master server and not the client server host name.
Where to change the host so that it will show the client server host name ?
splunk version = 6.5.0
I think you have copying your instance from one system to another. in the $SPLUNK_HOME/etc/system/local/server.conf
[general]
serverName = NewIndexer.local
I think there are a few other GUID's that should change too but I don't know where they are. Maybe someone else can help with that.
Your question is not entirely clear.
When Splunk is collecting the data, it uses the host value specified in the inputs.conf stanza. (Each input has a set of attributes defined in inputs.conf)
If there is no host specified in that stanza, then Splunk uses the default host value provided in the $SPLUNK_HOME/etc/system/local/inputs.conf
on the machine that is collecting the data.
After the data is collected (called the "input phase" in the documentation), Splunk parses the data and writes it to an index. During the parsing phase, the value of the host field can be tweaked if needed.
At the end of the parsing phase, Splunk writes the data to disk. At that point, nothing can be changed.
Regardless of whether you archive / restore / move / rebuild the index, the data within the index (source, sourcetype, host, etc.) cannot be changed.