Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Fowarder host name - FQDN

yzidell
Engager
‎11-29-2011 03:06 PM

how can configure splunk Home -> All forwarders to the FQDN instead of just the host name?

Thanks

Tags (1)
Reply

maverick
Splunk Employee
Splunk Employee
‎12-07-2011 07:49 AM

In v4.2.4, there seems to be a couple issues with how Splunk currently determines the host name of Forwarders. The info is contained in the index=_internal, where the sourcetype=fwdinfo and the Forwarder host name field is called hostname.

After looking at this other Splunk Answer, it seems that the issue is resolved in v4.2.5 and/or v4.3.

http://splunk-base.splunk.com/answers/25868/where-does-the-fwdinfo-sourcetype-come-from

In the meantime, you can sort of workaround this issue by evaluating the hostname and, if it does not contain a period char (.), you can append the FQDN onto the end. Of course, you may need to evaluate more conditions for your specific Forwarder host names/domains, but this example shows one way, where the domain name is always to same for ALL Forwarders.

index=_internal sourcetype=fwdinfo 
| eval Forwarder = lower(if(match(hostname,"\."),hostname,hostname.".yourdomain.com")) 
| timechart count by Forwarder
0 Karma
Reply

maverick
Splunk Employee
Splunk Employee
‎12-05-2011 02:38 PM

In the summary_forwarders index there is a field called sourceHost and I'm also seeing both FQDN and single-host names for the same Windows forwarder in this field. (i.e. myhost vs myhost.splunk.com)

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...