Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to determine the name of the server the universal forwarder resides on ? getting the hostname as $decideOnStartup ?

Hemnaath
Motivator
‎07-19-2017 08:20 AM

Hi All, Currently i am facing an issue in finding the correct host name for windows Universal agent server which is sending the data to index=windows. I am not sure why it is sending the data with this name, I hope there should be some configuration issue in inputs.conf file. So Is there an easy way to determine what server has the messed up configuration? Kindly guide us in troubleshooting this issue.

thanks in advance.

Tags (1)
0 Karma
Reply

dkolekar_splunk
Splunk Employee
Splunk Employee
‎04-22-2019 12:52 AM

If the proper hostname is set in $SPLUNK_HOME$/etc/system/local/inputs.conf any new stream event should be associated with that given name. If left unset, the modular input reverts to the default name, "$decideOnStartup".
Hope this helps.

To solve this issue, you need to rectify which from which source/host data is coming into splunk. (You can use metrics.log for reference)
Also, you can try restarting splunkd service on particular UF to check if the true hostname appears.

Reply

skalliger
Motivator
‎07-20-2017 04:46 AM

Maybe I misunderstood that but: You only want to know which host is sending to your index called "windows"?

Then do this:

index=windows | stats values(host)

Skalli

0 Karma
Reply

Hemnaath
Motivator
‎07-20-2017 07:40 AM

hey i got the host name as $decideOnStartup in splunk console which is not the correct host name, so need to know how to find the correct host name of this ..

thanks in advance.

0 Karma
Reply

ddrillic
Ultra Champion
‎07-19-2017 08:39 AM

What do you see at $SPLUNK_HOME/etc/system/local/inputs.conf ?

0 Karma
Reply

Hemnaath
Motivator
‎07-19-2017 10:11 AM

Hi ddrillic, thanks for your response on this, first i need to find from which host these data are being ingested to the index=win_svrs. On getting the correct host name , i can check the inputs.conf file. Currently in splunk search head, i could see the host=$decideOnStartup .

So please let me know how to check the correct host name, from where this data being is ingested to the index=win_Svrs in the indexer instances.

0 Karma
Reply

ddrillic
Ultra Champion
‎07-19-2017 10:39 AM

Ok, so for the forwarder, you can adjust the host value in this inputs.conf on the forwarder and bounce the forwarder. This should solve the issue...

0 Karma
Reply

Hemnaath
Motivator
‎07-19-2017 11:01 AM

Yes but my question is how to find from which host name the data are coming in to the index, currently i could see the hostname as $decideOnStartup which is not the correct host name, so it will be help full if you can tell me how to find the correct host name.

0 Karma
Reply

somesoni2
Revered Legend
‎07-20-2017 06:35 AM

How are you installing Splunk on forwarders? It seems the first time run activities after installation was not completed causing host=$decideOnStartup to not resolve to actual host name.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...