Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Fowarder host name - FQDN

yzidell
Engager
‎11-29-2011 03:06 PM

how can configure splunk Home -> All forwarders to the FQDN instead of just the host name?

Thanks

Tags (1)
Reply

maverick
Splunk Employee
Splunk Employee
‎12-07-2011 07:49 AM

In v4.2.4, there seems to be a couple issues with how Splunk currently determines the host name of Forwarders. The info is contained in the index=_internal, where the sourcetype=fwdinfo and the Forwarder host name field is called hostname.

After looking at this other Splunk Answer, it seems that the issue is resolved in v4.2.5 and/or v4.3.

http://splunk-base.splunk.com/answers/25868/where-does-the-fwdinfo-sourcetype-come-from

In the meantime, you can sort of workaround this issue by evaluating the hostname and, if it does not contain a period char (.), you can append the FQDN onto the end. Of course, you may need to evaluate more conditions for your specific Forwarder host names/domains, but this example shows one way, where the domain name is always to same for ALL Forwarders.

index=_internal sourcetype=fwdinfo 
| eval Forwarder = lower(if(match(hostname,"\."),hostname,hostname.".yourdomain.com")) 
| timechart count by Forwarder
0 Karma
Reply

maverick
Splunk Employee
Splunk Employee
‎12-05-2011 02:38 PM

In the summary_forwarders index there is a field called sourceHost and I'm also seeing both FQDN and single-host names for the same Windows forwarder in this field. (i.e. myhost vs myhost.splunk.com)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...