Case sensitivity on universal forwarder hostname

Derek · ‎11-21-2011

I have a universal forwarder (4.2.2) setup that sends text logs, event logs and WMI counters.

When the data gets indexed on our indexer, the host field for everything but WMI data shows "abc123" (lowercased) and the WMI data will be "ABC123" (uppercased).

The inputs.conf file has a host setting of "abc123" and server.conf has the same. The server hostname is also "abc123"

Why does WMI data show up with the hostname capitalized? Is it a bug in the version of UF that I'm running?

Thanks!

_d_ · ‎11-21-2011

Derek,

Can you check your Universal Forwarder's etc\system\local\server.conf setting for serverName? If it is the hostname in capital letters, change it to lowercase, restart Splunk, and see if it makes a difference.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

cmeo · ‎03-27-2012

WMI inputs appear to use the Netbios name, regardless of other settings. A number of questions have been asked on this topic. netbios names are always uppercase.

Derek · ‎11-21-2011

It's also set to the lowercase version of the hostname.

Case sensitivity on universal forwarder hostname

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...