I have both Windows and Linux servers in my environment, with Deployment apps for both production and test for each OS (eg unix and unixtest). When I look at Forwarder Management on the Deployment Server and select one of the Linux apps, the Host Name field is the FQDN, but the Windows apps list only the computer name. On both platforms, inputs.conf configures host to be the FQDN.
When I look at splunkd.log on the DS to see what connections are coming in, I see connectionId is "connection_" followed by five fields separated by "_", which appear to be the IP, management port, FQDN, another host field, and something that looks like a UUID. The fourth field is the computer name for Windows, and the FQDN again for Linux. What I think I need to do is to change the fourth field to be the FQDN on Windows. How can I do that?
Adding hostnameOption=fullyqualifiedname does not resolve this issue for me either. When i view Settings | Forwarder Management I see a list of hosts reporting into the forwarder - the 'instance name' column is the FQDN but the 'host name' field is the short name (unqualified)
As i read http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf - i should be able to add hostnameOption to server.conf - but i don't see any difference when doing that.
so on 2 of my Windows servers ...\etc\apps\%appname%\local\inputs.conf , I added
hostnameOption = fullyqualifiedname
restarted the UF. When I searched for host=xxxx* it still was the short name that showed up.
This post is in regards to deployment server not indexing or inputs.
If you want the FQDN to be included in your index data edit your inputs.conf default stanza.
[default] host = FQDN.foo.net
I'm having the same issues with windows boxes. I'm unable to override any hostname as shown in forwarder management, and therefore am unable to set up whitelists based on fqdns or otherwise altered hostnames passed from forwarder config files using any (all) of the host, serverName, or hostnameOption arguments. although the indexed data does show the updated hostname.
I'll try to clarify what I'm seeing, as I've tried the suggested answer, plus suggestions from the question posted at http://answers.splunk.com/answers/171928/how-can-i-control-the-clients-host-name-that-appea.html
The connectionId field is composed of these "_"-separated fields:
I haven't found anything that changes by setting hostnameOption in server.conf, at least in regard to the connection as reported in Forwarder Management.
I have serverName in server.conf and host in inputs.conf set to the FQDN, but neither affects the HostName returned in the connectionId field.
This is controlled by the server.conf.
[general] serverName = <ASCII string> # hostnameOption is only for windows. set this to fullyqualifiedname hostnameOption = <ASCII string>
Are you changing the hostname field in the Splunk code or is this configurable?
I thought, "Host Name" on Forwarder Management page, was hostname shortname set in inputs.conf, even if you configured host=$decideOnStartup and hostnameOption = fullyqualifiedname for Windows. But it is not.
The Host Name in Forwarder Management is the same as you would get using the hostname shell command in both *nix and Windows. It is very useful to see the real hostname together with Client Name (which is either GUID by default or coming from deploymentclient.conf) and Instance Name (which is serverName in server.conf).
Also, if you edit clients in a Serverclass, you will see something called DNS Name. It is equivalent to DNS response on Deployment Server e.g. using shell command nslookup <hostname>. (The Deployment Server does a reverse lookup using the IP address of the incoming TCP packets. If it fails, DNS Name will have the IP address instead.)
I have not seen any proper documentation of all these different names anywhere, so this is an area with lots of misunderstandings.
Servers with Forwarders installed on easily gets incorrect host name and serverName once servers are cloned or renamed, which happens all the time. It can easily be a mess.