Deployment Architecture

how to determine the name of the server the universal forwarder resides on ? getting the hostname as $decideOnStartup ?

Hemnaath
Motivator

Hi All, Currently i am facing an issue in finding the correct host name for windows Universal agent server which is sending the data to index=windows. I am not sure why it is sending the data with this name, I hope there should be some configuration issue in inputs.conf file. So Is there an easy way to determine what server has the messed up configuration? Kindly guide us in troubleshooting this issue.

thanks in advance.

Tags (1)
0 Karma

dkolekar_splunk
Splunk Employee
Splunk Employee

If the proper hostname is set in $SPLUNK_HOME$/etc/system/local/inputs.conf any new stream event should be associated with that given name. If left unset, the modular input reverts to the default name, "$decideOnStartup".
Hope this helps.

To solve this issue, you need to rectify which from which source/host data is coming into splunk. (You can use metrics.log for reference)
Also, you can try restarting splunkd service on particular UF to check if the true hostname appears.

skalliger
Motivator

Maybe I misunderstood that but: You only want to know which host is sending to your index called "windows"?

Then do this:

index=windows | stats values(host)

Skalli

0 Karma

Hemnaath
Motivator

hey i got the host name as $decideOnStartup in splunk console which is not the correct host name, so need to know how to find the correct host name of this ..

thanks in advance.

0 Karma

ddrillic
Ultra Champion

What do you see at $SPLUNK_HOME/etc/system/local/inputs.conf ?

0 Karma

Hemnaath
Motivator

Hi ddrillic, thanks for your response on this, first i need to find from which host these data are being ingested to the index=win_svrs. On getting the correct host name , i can check the inputs.conf file. Currently in splunk search head, i could see the host=$decideOnStartup .

So please let me know how to check the correct host name, from where this data being is ingested to the index=win_Svrs in the indexer instances.

0 Karma

ddrillic
Ultra Champion

Ok, so for the forwarder, you can adjust the host value in this inputs.conf on the forwarder and bounce the forwarder. This should solve the issue...

0 Karma

Hemnaath
Motivator

Yes but my question is how to find from which host name the data are coming in to the index, currently i could see the hostname as $decideOnStartup which is not the correct host name, so it will be help full if you can tell me how to find the correct host name.

0 Karma

somesoni2
Revered Legend

How are you installing Splunk on forwarders? It seems the first time run activities after installation was not completed causing host=$decideOnStartup to not resolve to actual host name.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...