Hello,
We have configured a number of our Cherwell servers to send data to Splunk on our Management port 89 ( default 8089 ). Issue is we have a few servers with the same name in different domains, so we need the host to be the FQDN, host.domain.com. Where or how would I set this? Is this a global setting? is that port considered an input and I can set a connect_host for it?
Thanks, 
Peter
{ [-] 
    Level:  WARN 
    Message:  Duplicate script key being added with key: [postInitMenu]; value: []; type: [Startup] 
    ThreadName:  Thread_22 
    TimeStamp:  2016-08-17T15:29:23.9734481-04:00 
    pid:  4288 
}
Show as raw text
host = CWAPP01 source = w3wp sourcetype = Cherwell
 
		
		
		
		
		
	
			
		
		
			
					
		Hi Peter,
I am assuming your Cherwell servers have been configured to log to Splunk as described here? 
I don't know how they implemented that integration, likely it is using the receivers/simple endpoint (which, btw, is not recommended for any kind of high volume logging. But that's a different story...).
That endpoint expects a host name in the request parameters, so this would have to be set in Cherwell code.
Having said that, it is likely a result of the hosts that run Cherwell not returning a FQDN when asked for their hostname. I would start with the server admins of those boxes.
Correct, that is the document, for now it is not a lot of events.
How does Splunk actually ask for the hostname in this scenario? On the Splunk box i can ping both the long and short name. Does it ping it, or use a script to do a reverse lookup? Can I force it somewhere, like the connection_host parameter?
Thanks,
Peter
