Getting Data In

How do I hard-code the FQDN as the "host" attribute? and how do I move all the old data from the computername to the FQDN?

zliu
Splunk Employee
Splunk Employee

I have 50+ windows and linux servers in each of 2 datacenters that have the same conputername, but different Fully Qualified Domain Names. eg: both servers are RTWINFDC01, but each FQDN is RTWINFDC01.fra.rtwg.int -and- RTWINFDC01.dal.rtwg.int. I need my splunk server to identify the "host" attribute with the FQDN. It seems somewhere along the way this happened, as there are duplicate entries for my hosts, one with the FQDN, and one with strictly the computername. Unfortunately, all the data is being logged under the computername, not the FQDN. How do I hard-code the FQDN as the "host" attribute? and how do I move all the old data from the computername to the FQDN?

Tags (1)
1 Solution

jrodman
Splunk Employee
Splunk Employee

Generally, for the event texts, the value of host is controlled by the host=hostname value in the top of etc/system/local/inputs.conf. This value sets the default for this configuration across all of your input stanzas.

For some sourcetypes (mostly syslog) we try to grab the hostname out of the text of the events.

For your desire to rewrite the host field for existing events, you could alias the old value to the desired value so that searches would return all the data, but you might be happier by simply reindexing that data, or allowing the old data to roll out.

View solution in original post

TonyLeeVT
Builder

Are you using Splunk Universal forwarder to send the data there?

If so, it would be nice if the Splunk UF had a way to change the host variable from hostname to fqdn or something similar.

If you have the following scenario it will cause issues:
host1.red.net
host1.blue.net

Both hosts show up as host=host1 which is obviously not ideal. In my case the logs do not indicate the IP address or FQDN and thus cannot be parsed from the logs.

0 Karma

mayler
Path Finder

I'm not sure how you've configured your data input. If you are doing UDP, Port Number, you can easily configure this. When configuring this you will see HOST: IP/DNS/Custom. Select DNS. It's that easy.

About changing the old names to the new names: Here it is:

http://www.splunk.com/base/Documentation/4.1/Knowledge/Tagthehostfield

"If you've changed the value of the host field for a given input, you can also tag events that are already in the index with the new host name to make it easier to search across your data set."

0 Karma

jrodman
Splunk Employee
Splunk Employee

Generally, for the event texts, the value of host is controlled by the host=hostname value in the top of etc/system/local/inputs.conf. This value sets the default for this configuration across all of your input stanzas.

For some sourcetypes (mostly syslog) we try to grab the hostname out of the text of the events.

For your desire to rewrite the host field for existing events, you could alias the old value to the desired value so that searches would return all the data, but you might be happier by simply reindexing that data, or allowing the old data to roll out.

hulahoop
Splunk Employee
Splunk Employee

Does the FQDN appear in the event or the file name or neither?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...