We have configured a number of our Cherwell servers to send data to Splunk on our Management port 89 ( default 8089 ). Issue is we have a few servers with the same name in different domains, so we need the host to be the FQDN, host.domain.com. Where or how would I set this? Is this a global setting? is that port considered an input and I can set a connect_host for it?
Message: Duplicate script key being added with key: [postInitMenu]; value: ; type: [Startup]
Show as raw text
host = CWAPP01 source = w3wp sourcetype = Cherwell
I am assuming your Cherwell servers have been configured to log to Splunk as described here?
I don't know how they implemented that integration, likely it is using the receivers/simple endpoint (which, btw, is not recommended for any kind of high volume logging. But that's a different story...).
That endpoint expects a host name in the request parameters, so this would have to be set in Cherwell code.
Having said that, it is likely a result of the hosts that run Cherwell not returning a FQDN when asked for their hostname. I would start with the server admins of those boxes.
Correct, that is the document, for now it is not a lot of events.
How does Splunk actually ask for the hostname in this scenario? On the Splunk box i can ping both the long and short name. Does it ping it, or use a script to do a reverse lookup? Can I force it somewhere, like the connection_host parameter?