Deployment Architecture

Fowarder host name - FQDN

yzidell
Engager

how can configure splunk Home -> All forwarders to the FQDN instead of just the host name?

Thanks

Tags (1)

maverick
Splunk Employee
Splunk Employee

In v4.2.4, there seems to be a couple issues with how Splunk currently determines the host name of Forwarders. The info is contained in the index=_internal, where the sourcetype=fwdinfo and the Forwarder host name field is called hostname.

After looking at this other Splunk Answer, it seems that the issue is resolved in v4.2.5 and/or v4.3.

http://splunk-base.splunk.com/answers/25868/where-does-the-fwdinfo-sourcetype-come-from

In the meantime, you can sort of workaround this issue by evaluating the hostname and, if it does not contain a period char (.), you can append the FQDN onto the end. Of course, you may need to evaluate more conditions for your specific Forwarder host names/domains, but this example shows one way, where the domain name is always to same for ALL Forwarders.

index=_internal sourcetype=fwdinfo 
| eval Forwarder = lower(if(match(hostname,"\."),hostname,hostname.".yourdomain.com")) 
| timechart count by Forwarder
0 Karma

maverick
Splunk Employee
Splunk Employee

In the summary_forwarders index there is a field called sourceHost and I'm also seeing both FQDN and single-host names for the same Windows forwarder in this field. (i.e. myhost vs myhost.splunk.com)

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...