Getting Data In

How to get the Windows host name in Forwarder Management on the deployment server to appear as the FQDN?

rkilen
Explorer

I have both Windows and Linux servers in my environment, with Deployment apps for both production and test for each OS (eg unix and unixtest). When I look at Forwarder Management on the Deployment Server and select one of the Linux apps, the Host Name field is the FQDN, but the Windows apps list only the computer name. On both platforms, inputs.conf configures host to be the FQDN.

When I look at splunkd.log on the DS to see what connections are coming in, I see connectionId is "connection_" followed by five fields separated by "_", which appear to be the IP, management port, FQDN, another host field, and something that looks like a UUID. The fourth field is the computer name for Windows, and the FQDN again for Linux. What I think I need to do is to change the fourth field to be the FQDN on Windows. How can I do that?

0 Karma

bduffey
New Member

Adding hostnameOption=fullyqualifiedname does not resolve this issue for me either. When i view Settings | Forwarder Management I see a list of hosts reporting into the forwarder - the 'instance name' column is the FQDN but the 'host name' field is the short name (unqualified)

As i read http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf - i should be able to add hostnameOption to server.conf - but i don't see any difference when doing that.

0 Karma

locose
Path Finder

Hello

so on 2 of my Windows servers ...\etc\apps\%appname%\local\inputs.conf , I added

hostnameOption = fullyqualifiedname

restarted the UF. When I searched for host=xxxx* it still was the short name that showed up.

Femi

0 Karma

bmacias84
Champion

This post is in regards to deployment server not indexing or inputs.

If you want the FQDN to be included in your index data edit your inputs.conf default stanza.

[default]
host = FQDN.foo.net
0 Karma

benjamincortega
New Member

I'm having the same issues with windows boxes. I'm unable to override any hostname as shown in forwarder management, and therefore am unable to set up whitelists based on fqdns or otherwise altered hostnames passed from forwarder config files using any (all) of the host, serverName, or hostnameOption arguments. although the indexed data does show the updated hostname.

0 Karma

rkilen
Explorer

I'll try to clarify what I'm seeing, as I've tried the suggested answer, plus suggestions from the question posted at http://answers.splunk.com/answers/171928/how-can-i-control-the-clients-host-name-that-appea.html

The connectionId field is composed of these "_"-separated fields:

  • connection
  • 8089 (or the overridden management port)
  • (pretty sure this is serverName in server.conf)
  • (not sure where this can be overridden, but my Linux servers return FQDN, while Windows servers return just the computer name)
  • (this is set by clientName in deploymentclient.conf)

I haven't found anything that changes by setting hostnameOption in server.conf, at least in regard to the connection as reported in Forwarder Management.

I have serverName in server.conf and host in inputs.conf set to the FQDN, but neither affects the HostName returned in the connectionId field.

0 Karma

bmacias84
Champion

This is controlled by the server.conf.

[general]
serverName = <ASCII string>
# hostnameOption is only for windows.  set this to fullyqualifiedname
hostnameOption = <ASCII string>

Read http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf

0 Karma

rkilen
Explorer

That doesn't change the fourth field to match what I specified for hostnameOption. The Windows server still shows up in Forwarder Management as only the computer name, not FQDN.

ahmedn_splunk
Splunk Employee
Splunk Employee

Hi, Have you found a solution for your issue? I'm having the same issue and need to change the hostname field to be the FQDN instead of short name on the forwarder management.

0 Karma

pellegrini
Path Finder

Are you changing the hostname field in the Splunk code or is this configurable?

I thought, "Host Name" on Forwarder Management page, was hostname shortname set in inputs.conf, even if you configured host=$decideOnStartup and hostnameOption = fullyqualifiedname for Windows. But it is not.

The Host Name in Forwarder Management is the same as you would get using the hostname shell command in both *nix and Windows. It is very useful to see the real hostname together with Client Name (which is either GUID by default or coming from deploymentclient.conf) and Instance Name (which is serverName in server.conf).

Also, if you edit clients in a Serverclass, you will see something called DNS Name. It is equivalent to DNS response on Deployment Server e.g. using shell command nslookup <hostname>. (The Deployment Server does a reverse lookup using the IP address of the incoming TCP packets. If it fails, DNS Name will have the IP address instead.)

I have not seen any proper documentation of all these different names anywhere, so this is an area with lots of misunderstandings.

Servers with Forwarders installed on easily gets incorrect host name and serverName once servers are cloned or renamed, which happens all the time. It can easily be a mess.

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...