Getting Data In

How to get the Windows host name in Forwarder Management on the deployment server to appear as the FQDN?

Explorer

I have both Windows and Linux servers in my environment, with Deployment apps for both production and test for each OS (eg unix and unixtest). When I look at Forwarder Management on the Deployment Server and select one of the Linux apps, the Host Name field is the FQDN, but the Windows apps list only the computer name. On both platforms, inputs.conf configures host to be the FQDN.

When I look at splunkd.log on the DS to see what connections are coming in, I see connectionId is "connection_" followed by five fields separated by "_", which appear to be the IP, management port, FQDN, another host field, and something that looks like a UUID. The fourth field is the computer name for Windows, and the FQDN again for Linux. What I think I need to do is to change the fourth field to be the FQDN on Windows. How can I do that?

0 Karma

New Member

Adding hostnameOption=fullyqualifiedname does not resolve this issue for me either. When i view Settings | Forwarder Management I see a list of hosts reporting into the forwarder - the 'instance name' column is the FQDN but the 'host name' field is the short name (unqualified)

As i read http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf - i should be able to add hostnameOption to server.conf - but i don't see any difference when doing that.

0 Karma

Path Finder

Hello

so on 2 of my Windows servers ...\etc\apps\%appname%\local\inputs.conf , I added

hostnameOption = fullyqualifiedname

restarted the UF. When I searched for host=xxxx* it still was the short name that showed up.

Femi

0 Karma

Champion

This post is in regards to deployment server not indexing or inputs.

If you want the FQDN to be included in your index data edit your inputs.conf default stanza.

[default]
host = FQDN.foo.net
0 Karma

New Member

I'm having the same issues with windows boxes. I'm unable to override any hostname as shown in forwarder management, and therefore am unable to set up whitelists based on fqdns or otherwise altered hostnames passed from forwarder config files using any (all) of the host, serverName, or hostnameOption arguments. although the indexed data does show the updated hostname.

0 Karma

Explorer

I'll try to clarify what I'm seeing, as I've tried the suggested answer, plus suggestions from the question posted at http://answers.splunk.com/answers/171928/how-can-i-control-the-clients-host-name-that-appea.html

The connectionId field is composed of these "_"-separated fields:

  • connection
  • 8089 (or the overridden management port)
  • (pretty sure this is serverName in server.conf)
  • (not sure where this can be overridden, but my Linux servers return FQDN, while Windows servers return just the computer name)
  • (this is set by clientName in deploymentclient.conf)

I haven't found anything that changes by setting hostnameOption in server.conf, at least in regard to the connection as reported in Forwarder Management.

I have serverName in server.conf and host in inputs.conf set to the FQDN, but neither affects the HostName returned in the connectionId field.

0 Karma

Champion

This is controlled by the server.conf.

[general]
serverName = <ASCII string>
# hostnameOption is only for windows.  set this to fullyqualifiedname
hostnameOption = <ASCII string>

Read http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf

0 Karma

Explorer

That doesn't change the fourth field to match what I specified for hostnameOption. The Windows server still shows up in Forwarder Management as only the computer name, not FQDN.

0 Karma

Splunk Employee
Splunk Employee

Hi, Have you found a solution for your issue? I'm having the same issue and need to change the hostname field to be the FQDN instead of short name on the forwarder management.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!