You can configure the hostname per Splunk instance. You'll need to update the $SPLUNK_HOME/etc/system/local/inputs.conf to reflect this:
[default]
host = Windows1
Without customizing this, Splunk will use the System's local hostname as its default host setting which, in your case, would be the same for all 4 hosts.
You may wish to use a fully-qualified hostname. If this is absolutely impossible, you can add a key and index another field into Splunk:
inputs.conf
where the inputs are being collected:
newfield = network_id
props.conf
on the parsing queue machine(s):
[<host or source or sourcetype specifier>]
TRANSFORMS-setnewfieldtonetworkid = setnetworkid
transforms.conf
on the parsing queue machine(s):
[setnetworkid]
SOURCE_KEY = newfield
REGEX = (.*)
FORMAT = newfield::$1
fields.conf
on the searcher machine:
[newfield]
INDEXED = True
INDEXED_VALUE = False
You can configure the hostname per Splunk instance. You'll need to update the $SPLUNK_HOME/etc/system/local/inputs.conf to reflect this:
[default]
host = Windows1
Without customizing this, Splunk will use the System's local hostname as its default host setting which, in your case, would be the same for all 4 hosts.
Thanks, it works!
Thanks! I'll try this soon, but why Splunk can't get the name insert in the web interface?