Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Good practice to remove serverName from server.conf?

satyenshah
Path Finder
‎02-07-2019 07:03 AM

I'm wondering what are the consequences of deleting the "serverName" attribute from server.conf in /etc/system/local. We'd like to do that because sometimes servers get cloned by other teams in our organization (oblivious to splunk clone-prep-clear-config, and the cloned server gets deployed. Both servers send logs to Splunk Enterprise containing the same hostname. That needs to be detected and remediated. A preventative solution seems to be removing serverName from all forwarders using a deployment-app.

From testing on Windows/RHEL, Splunk works fine falling back to /etc/system/default, which contains serverName=$COMPUTERNAME, which sets the hostname at runtime. That makes it peculiar that serverName is hardcoded in /etc/system/local at installation. Is there a reason for that, or is it legacy from earlier versions of Splunk?

Two questions:

1) are there any unintended consequences of removing serverName from /etc/system/local?
2) would it be better to remove serverName from /etc/system/local, or to replace it with $COMPUTERNAME?

Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2019 09:11 AM

$COMPUTERNAME is a good default setting, but sometimes you want your forwarder to have a more descriptive name, hence the setting in etc/system/local.

1) Splunk doesn't care which setting you use so the consequences are purely in how you use your server/forwarder names.
2) Either. The trouble is you can't override etc/system/local with etc/apps/myapp/. You would have to do it with something other than the deployment server, like Puppet of Ansible.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

xanthakita
Path Finder
‎02-07-2019 11:01 AM

Have you considered using host=someUniqueHostname in your inputs.conf file... which you can manage from a deployment server?

its possible that the _internal indexes will continue to show the servername attribute, however your regular indexed events will show from whatever name you put in inputs as host=...

I often use different host names from the same UF if I am getting logs from multiple servers forwarded to one UF for example.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2019 09:11 AM

$COMPUTERNAME is a good default setting, but sometimes you want your forwarder to have a more descriptive name, hence the setting in etc/system/local.

1) Splunk doesn't care which setting you use so the consequences are purely in how you use your server/forwarder names.
2) Either. The trouble is you can't override etc/system/local with etc/apps/myapp/. You would have to do it with something other than the deployment server, like Puppet of Ansible.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

satyenshah
Path Finder
‎02-07-2019 10:33 AM

Thanks! Concerning the method, I already have a deployment app that comments out the line in server.conf. The question was mistakenly edited by the admins suggesting that I was asking how to remove the serverName, as opposed to whether removing the serverName is the best approach.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...