Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Host name incorrect for Cherwell input. How do we configure Splunk to use the FQDN for host?

pkasper
Explorer
‎08-17-2016 12:53 PM

Hello,

We have configured a number of our Cherwell servers to send data to Splunk on our Management port 89 ( default 8089 ). Issue is we have a few servers with the same name in different domains, so we need the host to be the FQDN, host.domain.com. Where or how would I set this? Is this a global setting? is that port considered an input and I can set a connect_host for it?

Thanks,
Peter

{ [-]
Level: WARN
Message: Duplicate script key being added with key: [postInitMenu]; value: []; type: [Startup]
ThreadName: Thread_22
TimeStamp: 2016-08-17T15:29:23.9734481-04:00
pid: 4288
}
Show as raw text
host = CWAPP01 source = w3wp sourcetype = Cherwell

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-18-2016 01:20 AM

Hi Peter,
I am assuming your Cherwell servers have been configured to log to Splunk as described here?

I don't know how they implemented that integration, likely it is using the receivers/simple endpoint (which, btw, is not recommended for any kind of high volume logging. But that's a different story...).
That endpoint expects a host name in the request parameters, so this would have to be set in Cherwell code.

Having said that, it is likely a result of the hosts that run Cherwell not returning a FQDN when asked for their hostname. I would start with the server admins of those boxes.

0 Karma
Reply

pkasper
Explorer
‎08-18-2016 05:50 AM

Correct, that is the document, for now it is not a lot of events.

How does Splunk actually ask for the hostname in this scenario? On the Splunk box i can ping both the long and short name. Does it ping it, or use a script to do a reverse lookup? Can I force it somewhere, like the connection_host parameter?

Thanks,
Peter

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...