how can configure splunk Home -> All forwarders to the FQDN instead of just the host name?
Thanks
In v4.2.4, there seems to be a couple issues with how Splunk currently determines the host name of Forwarders. The info is contained in the index=_internal, where the sourcetype=fwdinfo and the Forwarder host name field is called hostname.
After looking at this other Splunk Answer, it seems that the issue is resolved in v4.2.5 and/or v4.3.
http://splunk-base.splunk.com/answers/25868/where-does-the-fwdinfo-sourcetype-come-from
In the meantime, you can sort of workaround this issue by evaluating the hostname and, if it does not contain a period char (.), you can append the FQDN onto the end. Of course, you may need to evaluate more conditions for your specific Forwarder host names/domains, but this example shows one way, where the domain name is always to same for ALL Forwarders.
index=_internal sourcetype=fwdinfo | eval Forwarder = lower(if(match(hostname,"\."),hostname,hostname.".yourdomain.com")) | timechart count by Forwarder
In the summary_forwarders index there is a field called sourceHost and I'm also seeing both FQDN and single-host names for the same Windows forwarder in this field. (i.e. myhost vs myhost.splunk.com)