Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Fowarder host name - FQDN

yzidell
Engager
‎11-29-2011 03:06 PM

how can configure splunk Home -> All forwarders to the FQDN instead of just the host name?

Thanks

Tags (1)
Reply

maverick
Splunk Employee
Splunk Employee
‎12-07-2011 07:49 AM

In v4.2.4, there seems to be a couple issues with how Splunk currently determines the host name of Forwarders. The info is contained in the index=_internal, where the sourcetype=fwdinfo and the Forwarder host name field is called hostname.

After looking at this other Splunk Answer, it seems that the issue is resolved in v4.2.5 and/or v4.3.

http://splunk-base.splunk.com/answers/25868/where-does-the-fwdinfo-sourcetype-come-from

In the meantime, you can sort of workaround this issue by evaluating the hostname and, if it does not contain a period char (.), you can append the FQDN onto the end. Of course, you may need to evaluate more conditions for your specific Forwarder host names/domains, but this example shows one way, where the domain name is always to same for ALL Forwarders.

index=_internal sourcetype=fwdinfo 
| eval Forwarder = lower(if(match(hostname,"\."),hostname,hostname.".yourdomain.com")) 
| timechart count by Forwarder
0 Karma
Reply

maverick
Splunk Employee
Splunk Employee
‎12-05-2011 02:38 PM

In the summary_forwarders index there is a field called sourceHost and I'm also seeing both FQDN and single-host names for the same Windows forwarder in this field. (i.e. myhost vs myhost.splunk.com)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...