Re: Hostnames displayed twice

chriscolinjacks · ‎01-31-2012

I'm running Splunk on RHEL, and using the Splunk App for Linux and Unix with the Universal Forwarder. I'm getting duplicate hosts though, ie:

foo

and

foo.bar.com

How can I get rid of the duplicate? I'd prefer to keep the FQDN.

lpolo · ‎02-01-2012

1) Check that in you local inputs.conf the host is equal to the FQDN.
2) Check that the hostname of your RHEL server is set to the FQDN you configured in inputs.conf.
3) Restart splunk if you have made any changes in inputs.conf.
4) Check the sourcetypes reporting foo by executing this search command:

index=main |stats count by host source sourcetype

The result set should show you what logs are reporting foo.

glitchcowboy · ‎08-28-2012

I'd like to do the opposite. . . Is there a way, once and for all to do away with mismatched FQDN/Short names? I'd prefer to keep the short names, but when I set the inputs.conf to have a short name, I end up with FQDN's via DNS and syslog. Do I need to have a global lookup and reference my entire internal DNS record or is there a better way?

Hostnames displayed twice

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation