Getting Data In

How can I change the default hostname in Splunk?

DerekB
Splunk Employee
Splunk Employee

I don't like the default hostname that shows up in Splunk. I would like to change it to the FQDN. How can I do this quickly after my first install of Splunk?

Tags (2)
1 Solution

yannK
Splunk Employee
Splunk Employee

The servername in server.conf and the host in inputs.conf are automatically populated the first time splunk starts based on the results of the system command "hostname". So usually it returns the short hostname (from /etc/hosts, on linux, or the %SERVERNAME% in windows)

see the specifications :

in server.

[general]
serverName = <ASCII string>
* The name used to identify this Splunk instance for features such as distributed search.
* Defaults to <hostname>-<user running splunk>.
* May not be an empty string
* May contain environment variables
* After any environment variables have been expanded, the server name (if not an IPv6
address) can only contain letters, numbers, underscores, dots, and dashes; and
it must start with a letter, number, or an underscore.

* in inputs.conf
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Inputsconf
and http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/SetadefaulthostforaSplunkserver


[default]
host = <string>
* Sets the host key/field to a static value for this stanza.
* Primarily used to control the host field, which will be used for events coming in
via this input stanza.
* Detail: Sets the host key's initial value. The key is used during parsing/indexing,
in particular to set the host field. It is also the host field used at search time.
* As a convenience, the chosen string is prepended with 'host::'.
* WARNING: Do not quote the <string> value: host=foo, not host="foo".
* If set to '$decideOnStartup', will be interpreted as hostname of executing machine;
such interpretation will occur on each splunkd startup. This is the default.

So depending of your server, it will be the short hostname or the fully qualified hostname.
You can have your /etc/hosts being the full name.
Or the classic workaround is to update with the name of your choice, just after installing.

  • edit the files
  • or use the CLI

http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Changedefaultvalues

./splunk set servername foo.domain.com

./splunk set default-hostname foo.domain.com


PS : if you are thinking of the name used for the deployment-server matching, you can also rewrite it in deploymentclient.conf as clientname.

View solution in original post

kamal_jagga
Contributor

Hi Guys,

I have done both the below mentioned changes but abc01-2 is only appearing in "instance name" field of Deployment Server but no changes happened for the "host name".

Updates made in etc/system/local files of both the instances of the forwarder.
1. Splunk1
Inputs.conf
host = abc01

server.conf
[general]
serverName = abc01

  1. Splunk2 Inputs.conf host = abc01-2

server.conf
[general]
serverName = abc01-2

Kindly advise.

0 Karma

yannK
Splunk Employee
Splunk Employee

The servername in server.conf and the host in inputs.conf are automatically populated the first time splunk starts based on the results of the system command "hostname". So usually it returns the short hostname (from /etc/hosts, on linux, or the %SERVERNAME% in windows)

see the specifications :

in server.

[general]
serverName = <ASCII string>
* The name used to identify this Splunk instance for features such as distributed search.
* Defaults to <hostname>-<user running splunk>.
* May not be an empty string
* May contain environment variables
* After any environment variables have been expanded, the server name (if not an IPv6
address) can only contain letters, numbers, underscores, dots, and dashes; and
it must start with a letter, number, or an underscore.

* in inputs.conf
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Inputsconf
and http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/SetadefaulthostforaSplunkserver


[default]
host = <string>
* Sets the host key/field to a static value for this stanza.
* Primarily used to control the host field, which will be used for events coming in
via this input stanza.
* Detail: Sets the host key's initial value. The key is used during parsing/indexing,
in particular to set the host field. It is also the host field used at search time.
* As a convenience, the chosen string is prepended with 'host::'.
* WARNING: Do not quote the <string> value: host=foo, not host="foo".
* If set to '$decideOnStartup', will be interpreted as hostname of executing machine;
such interpretation will occur on each splunkd startup. This is the default.

So depending of your server, it will be the short hostname or the fully qualified hostname.
You can have your /etc/hosts being the full name.
Or the classic workaround is to update with the name of your choice, just after installing.

  • edit the files
  • or use the CLI

http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Changedefaultvalues

./splunk set servername foo.domain.com

./splunk set default-hostname foo.domain.com


PS : if you are thinking of the name used for the deployment-server matching, you can also rewrite it in deploymentclient.conf as clientname.

Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...