Deployment Architecture

Why does the Host name in deployment server appears many times with different client names?

StuartMacL
Path Finder

A new entry appears every few days in the Forwarder Management area. Phone homes are only working for the latest entry.

Same Host Name, same IP Address, only the Client Name is different.

Any ideas?

Labels (2)
Tags (2)
0 Karma

Simple_Search
Path Finder

Two items to check -

1. Within the deploymentclient.conf file within the etc\system\local folder, there is a ClientName field that could be added.

2. The following SPL will identify duplicate entries coming in from different machines

index=* host=*
| dedup ComputerName
| rex field=ComputerName "(?<host_name>[^.]+)\."
| stats count(host_name), values(host_name) by host
| sort -count(host_name)
| where count > 1
| rename host as "Computer Name" "count(host_name)" as "Record Count" values(host_name) as "Affected Machines"

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @StuartMacL ,

check if the server hostname is the same of $SPLUNK_HOME/etc/system/local/server.conf.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...