- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can I change the default hostname in Splunk?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The servername in server.conf and the host in inputs.conf are automatically populated the first time splunk starts based on the results of the system command "hostname". So usually it returns the short hostname (from /etc/hosts, on linux, or the %SERVERNAME% in windows)
see the specifications :
in server.
[general]
serverName = <ASCII string>
* The name used to identify this Splunk instance for features such as distributed search.
* Defaults to <hostname>-<user running splunk>.
* May not be an empty string
* May contain environment variables
* After any environment variables have been expanded, the server name (if not an IPv6
address) can only contain letters, numbers, underscores, dots, and dashes; and
it must start with a letter, number, or an underscore.
* in inputs.conf
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Inputsconf
and http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/SetadefaulthostforaSplunkserver
[default]
host = <string>
* Sets the host key/field to a static value for this stanza.
* Primarily used to control the host field, which will be used for events coming in
via this input stanza.
* Detail: Sets the host key's initial value. The key is used during parsing/indexing,
in particular to set the host field. It is also the host field used at search time.
* As a convenience, the chosen string is prepended with 'host::'.
* WARNING: Do not quote the <string> value: host=foo, not host="foo".
* If set to '$decideOnStartup', will be interpreted as hostname of executing machine;
such interpretation will occur on each splunkd startup. This is the default.
So depending of your server, it will be the short hostname or the fully qualified hostname.
You can have your /etc/hosts being the full name.
Or the classic workaround is to update with the name of your choice, just after installing.
- edit the files
- or use the CLI
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Changedefaultvalues
./splunk set servername foo.domain.com
./splunk set default-hostname foo.domain.com
PS : if you are thinking of the name used for the deployment-server matching, you can also rewrite it in deploymentclient.conf as clientname.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
I have done both the below mentioned changes but abc01-2 is only appearing in "instance name" field of Deployment Server but no changes happened for the "host name".
Updates made in etc/system/local files of both the instances of the forwarder.
1. Splunk1
Inputs.conf
host = abc01
server.conf
[general]
serverName = abc01
- Splunk2 Inputs.conf host = abc01-2
server.conf
[general]
serverName = abc01-2
Kindly advise.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The servername in server.conf and the host in inputs.conf are automatically populated the first time splunk starts based on the results of the system command "hostname". So usually it returns the short hostname (from /etc/hosts, on linux, or the %SERVERNAME% in windows)
see the specifications :
in server.
[general]
serverName = <ASCII string>
* The name used to identify this Splunk instance for features such as distributed search.
* Defaults to <hostname>-<user running splunk>.
* May not be an empty string
* May contain environment variables
* After any environment variables have been expanded, the server name (if not an IPv6
address) can only contain letters, numbers, underscores, dots, and dashes; and
it must start with a letter, number, or an underscore.
* in inputs.conf
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Inputsconf
and http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/SetadefaulthostforaSplunkserver
[default]
host = <string>
* Sets the host key/field to a static value for this stanza.
* Primarily used to control the host field, which will be used for events coming in
via this input stanza.
* Detail: Sets the host key's initial value. The key is used during parsing/indexing,
in particular to set the host field. It is also the host field used at search time.
* As a convenience, the chosen string is prepended with 'host::'.
* WARNING: Do not quote the <string> value: host=foo, not host="foo".
* If set to '$decideOnStartup', will be interpreted as hostname of executing machine;
such interpretation will occur on each splunkd startup. This is the default.
So depending of your server, it will be the short hostname or the fully qualified hostname.
You can have your /etc/hosts being the full name.
Or the classic workaround is to update with the name of your choice, just after installing.
- edit the files
- or use the CLI
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Changedefaultvalues
./splunk set servername foo.domain.com
./splunk set default-hostname foo.domain.com
PS : if you are thinking of the name used for the deployment-server matching, you can also rewrite it in deploymentclient.conf as clientname.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
