Getting Data In

Host name incorrect for Cherwell input. How do we configure Splunk to use the FQDN for host?

Explorer

Hello,

We have configured a number of our Cherwell servers to send data to Splunk on our Management port 89 ( default 8089 ). Issue is we have a few servers with the same name in different domains, so we need the host to be the FQDN, host.domain.com. Where or how would I set this? Is this a global setting? is that port considered an input and I can set a connect_host for it?

Thanks,
Peter

{ [-]
Level: WARN
Message: Duplicate script key being added with key: [postInitMenu]; value: []; type: [Startup]
ThreadName: Thread_22
TimeStamp: 2016-08-17T15:29:23.9734481-04:00
pid: 4288
}
Show as raw text
host = CWAPP01 source = w3wp sourcetype = Cherwell

0 Karma

Splunk Employee
Splunk Employee

Hi Peter,
I am assuming your Cherwell servers have been configured to log to Splunk as described here?

I don't know how they implemented that integration, likely it is using the receivers/simple endpoint (which, btw, is not recommended for any kind of high volume logging. But that's a different story...).
That endpoint expects a host name in the request parameters, so this would have to be set in Cherwell code.

Having said that, it is likely a result of the hosts that run Cherwell not returning a FQDN when asked for their hostname. I would start with the server admins of those boxes.

0 Karma

Explorer

Correct, that is the document, for now it is not a lot of events.

How does Splunk actually ask for the hostname in this scenario? On the Splunk box i can ping both the long and short name. Does it ping it, or use a script to do a reverse lookup? Can I force it somewhere, like the connection_host parameter?

Thanks,
Peter

0 Karma