- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to determine the name of the server the universal forwarder resides on ? getting the hostname as $decideOnStartup ?
Hi All, Currently i am facing an issue in finding the correct host name for windows Universal agent server which is sending the data to index=windows. I am not sure why it is sending the data with this name, I hope there should be some configuration issue in inputs.conf file. So Is there an easy way to determine what server has the messed up configuration? Kindly guide us in troubleshooting this issue.
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![dkolekar_splunk dkolekar_splunk](https://community.splunk.com/legacyfs/online/avatars/433234.jpg)
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
If the proper hostname is set in $SPLUNK_HOME$/etc/system/local/inputs.conf any new stream event should be associated with that given name. If left unset, the modular input reverts to the default name, "$decideOnStartup".
Hope this helps.
To solve this issue, you need to rectify which from which source/host data is coming into splunk. (You can use metrics.log for reference)
Also, you can try restarting splunkd service on particular UF to check if the true hostname appears.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![skalliger skalliger](https://community.splunk.com/legacyfs/online/avatars/456299.jpg)
Maybe I misunderstood that but: You only want to know which host is sending to your index called "windows"?
Then do this:
index=windows | stats values(host)
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey i got the host name as $decideOnStartup in splunk console which is not the correct host name, so need to know how to find the correct host name of this ..
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you see at $SPLUNK_HOME/etc/system/local/inputs.conf
?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ddrillic, thanks for your response on this, first i need to find from which host these data are being ingested to the index=win_svrs. On getting the correct host name , i can check the inputs.conf file. Currently in splunk search head, i could see the host=$decideOnStartup .
So please let me know how to check the correct host name, from where this data being is ingested to the index=win_Svrs in the indexer instances.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, so for the forwarder, you can adjust the host value in this inputs.conf
on the forwarder and bounce the forwarder. This should solve the issue...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes but my question is how to find from which host name the data are coming in to the index, currently i could see the hostname as $decideOnStartup which is not the correct host name, so it will be help full if you can tell me how to find the correct host name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![somesoni2 somesoni2](https://community.splunk.com/legacyfs/online/avatars/100305.jpg)
How are you installing Splunk on forwarders? It seems the first time run activities after installation was not completed causing host=$decideOnStartup to not resolve to actual host name.
![](/skins/images/53C7C94B4DD15F7CACC6D77B9B4D55BF/responsive_peak/images/icon_anonymous_message.png)