Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Good practice to remove serverName from server.conf?

satyenshah
Path Finder
‎02-07-2019 07:03 AM

I'm wondering what are the consequences of deleting the "serverName" attribute from server.conf in /etc/system/local. We'd like to do that because sometimes servers get cloned by other teams in our organization (oblivious to splunk clone-prep-clear-config, and the cloned server gets deployed. Both servers send logs to Splunk Enterprise containing the same hostname. That needs to be detected and remediated. A preventative solution seems to be removing serverName from all forwarders using a deployment-app.

From testing on Windows/RHEL, Splunk works fine falling back to /etc/system/default, which contains serverName=$COMPUTERNAME, which sets the hostname at runtime. That makes it peculiar that serverName is hardcoded in /etc/system/local at installation. Is there a reason for that, or is it legacy from earlier versions of Splunk?

Two questions:

1) are there any unintended consequences of removing serverName from /etc/system/local?
2) would it be better to remove serverName from /etc/system/local, or to replace it with $COMPUTERNAME?

Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2019 09:11 AM

$COMPUTERNAME is a good default setting, but sometimes you want your forwarder to have a more descriptive name, hence the setting in etc/system/local.

1) Splunk doesn't care which setting you use so the consequences are purely in how you use your server/forwarder names.
2) Either. The trouble is you can't override etc/system/local with etc/apps/myapp/. You would have to do it with something other than the deployment server, like Puppet of Ansible.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

xanthakita
Path Finder
‎02-07-2019 11:01 AM

Have you considered using host=someUniqueHostname in your inputs.conf file... which you can manage from a deployment server?

its possible that the _internal indexes will continue to show the servername attribute, however your regular indexed events will show from whatever name you put in inputs as host=...

I often use different host names from the same UF if I am getting logs from multiple servers forwarded to one UF for example.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2019 09:11 AM

$COMPUTERNAME is a good default setting, but sometimes you want your forwarder to have a more descriptive name, hence the setting in etc/system/local.

1) Splunk doesn't care which setting you use so the consequences are purely in how you use your server/forwarder names.
2) Either. The trouble is you can't override etc/system/local with etc/apps/myapp/. You would have to do it with something other than the deployment server, like Puppet of Ansible.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

satyenshah
Path Finder
‎02-07-2019 10:33 AM

Thanks! Concerning the method, I already have a deployment app that comments out the line in server.conf. The question was mistakenly edited by the admins suggesting that I was asking how to remove the serverName, as opposed to whether removing the serverName is the best approach.

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...