I have both Windows and Linux servers in my environment, with Deployment apps for both production and test for each OS (eg unix and unixtest). When I look at Forwarder Management on the Deployment Server and select one of the Linux apps, the Host Name field is the FQDN, but the Windows apps list only the computer name. On both platforms, inputs.conf configures host to be the FQDN.
When I look at splunkd.log on the DS to see what connections are coming in, I see connectionId is "connection_" followed by five fields separated by "_", which appear to be the IP, management port, FQDN, another host field, and something that looks like a UUID. The fourth field is the computer name for Windows, and the FQDN again for Linux. What I think I need to do is to change the fourth field to be the FQDN on Windows. How can I do that?
Adding hostnameOption=fullyqualifiedname does not resolve this issue for me either. When i view Settings | Forwarder Management I see a list of hosts reporting into the forwarder - the 'instance name' column is the FQDN but the 'host name' field is the short name (unqualified)
As i read http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf - i should be able to add hostnameOption to server.conf - but i don't see any difference when doing that.
so on 2 of my Windows servers ...\etc\apps\%appname%\local\inputs.conf , I added
hostnameOption = fullyqualifiedname
restarted the UF. When I searched for host=xxxx* it still was the short name that showed up.
This post is in regards to deployment server not indexing or inputs.
If you want the FQDN to be included in your index data edit your inputs.conf default stanza.
[default] host = FQDN.foo.net
I'm having the same issues with windows boxes. I'm unable to override any hostname as shown in forwarder management, and therefore am unable to set up whitelists based on fqdns or otherwise altered hostnames passed from forwarder config files using any (all) of the host, serverName, or hostnameOption arguments. although the indexed data does show the updated hostname.
I'll try to clarify what I'm seeing, as I've tried the suggested answer, plus suggestions from the question posted at http://answers.splunk.com/answers/171928/how-can-i-control-the-clients-host-name-that-appea.html
The connectionId field is composed of these "_"-separated fields:
I haven't found anything that changes by setting hostnameOption in server.conf, at least in regard to the connection as reported in Forwarder Management.
I have serverName in server.conf and host in inputs.conf set to the FQDN, but neither affects the HostName returned in the connectionId field.
This is controlled by the server.conf.
[general] serverName = <ASCII string> # hostnameOption is only for windows. set this to fullyqualifiedname hostnameOption = <ASCII string>