Re: Fowarder host name - FQDN

yzidell · ‎11-29-2011

how can configure splunk Home -> All forwarders to the FQDN instead of just the host name?

Thanks

maverick · ‎12-07-2011

In v4.2.4, there seems to be a couple issues with how Splunk currently determines the host name of Forwarders. The info is contained in the index=_internal, where the sourcetype=fwdinfo and the Forwarder host name field is called hostname.

After looking at this other Splunk Answer, it seems that the issue is resolved in v4.2.5 and/or v4.3.

http://splunk-base.splunk.com/answers/25868/where-does-the-fwdinfo-sourcetype-come-from

In the meantime, you can sort of workaround this issue by evaluating the hostname and, if it does not contain a period char (.), you can append the FQDN onto the end. Of course, you may need to evaluate more conditions for your specific Forwarder host names/domains, but this example shows one way, where the domain name is always to same for ALL Forwarders.

index=_internal sourcetype=fwdinfo 
| eval Forwarder = lower(if(match(hostname,"\."),hostname,hostname.".yourdomain.com")) 
| timechart count by Forwarder

maverick · ‎12-05-2011

In the summary_forwarders index there is a field called sourceHost and I'm also seeing both FQDN and single-host names for the same Windows forwarder in this field. (i.e. myhost vs myhost.splunk.com)

Fowarder host name - FQDN

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation