Solved: How to make sure all servers checking in with the ...

jlemoine · ‎01-19-2017

I've noticed that among all of the universal forwarders checking in with my deployment server, there is no consistency in which hosts are fully qualified domain names (FQDN), e.g. myserver.mydomain.com, and which hosts just check in with short names, e.g. myserver.

Can someone tell me how to control this function? Ideally, I want all servers checking in with the deployment server to use FQDNs.

Thanks in advance!

woodcock · ‎01-19-2017

Edit server.conf:

hostnameOption = <ASCII string>
* The option used to specify the detail in the server name used to identify this Splunk instance.
* Can be one of "fullyqualifiedname" , "clustername", "shortname"
* Is applicable to Windows only
* Shall not be an empty string

View solution in original post

woodcock · ‎01-19-2017

Edit server.conf:

hostnameOption = <ASCII string>
* The option used to specify the detail in the server name used to identify this Splunk instance.
* Can be one of "fullyqualifiedname" , "clustername", "shortname"
* Is applicable to Windows only
* Shall not be an empty string

jlemoine · ‎01-20-2017

Thank you.

Interesting about the "only to applicable to Windows only" caveat.

Actually, now that I look at it, it is only the Windows hosts that are not qualified on the forwarder management page. All of the *nix hosts are.

How to make sure all servers checking in with the deployment server use FQDN?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...