I have a couple of 3rd party appliances/servers that have the same server name. I tried to set up a forwarder on these puppies but the fact that they have the same hostname makes things hard. I tried to address the issue in the "inputs.conf" file by changing the following;
[default]
host = somedifferentname01
And it worked for some of the indexed data, but not all. I see index data attributed to both names from the same server.
When I looked at the "server.conf" file I saw the following;
[general]
serverName = originalDuplicateServerName
My questions are:
Thanks in advance for any help sent this way.
After working with Splunk support, here is what happened. In the inputs.conf file where I describe the data files to be forwarded, I did not have a "sourcetype = xxxxxxx" entry. Some of the files I was forwarding were identified as syslog files by the indexer. Syslog files take the name of the sending server from the raw data in the event string over anything else. When I added a sourcetype entry, the host name override worked.
After working with Splunk support, here is what happened. In the inputs.conf file where I describe the data files to be forwarded, I did not have a "sourcetype = xxxxxxx" entry. Some of the files I was forwarding were identified as syslog files by the indexer. Syslog files take the name of the sending server from the raw data in the event string over anything else. When I added a sourcetype entry, the host name override worked.
You would have to update the server.conf in order to change the host name. You can use IP or any other string value.
This update will change the server name from any data that will get indexed after the change. Older/already indexed data will not get changed.
If data for this forwarder have its own sourcetype than you can create a calculated field with your choice of name so that host can be changed for all events.
Well, I set the "host" attribute in the "inputs.conf" file and the "serverName" in the "server.conf" file for all servers I'm working on to their respective IP address. Only 1 is sending data with the "host" as the IP address. The rest are using the vendor's original hostname that's the same for all. Any idea's on what I forgot to flush out?
1 - it should only set the "host" value for what is indexed
2 - Unclear what you want to override - the server.conf servername is for the non-indexing applications
3 - Yes you can use IP addresses
Thanks for these answers. I will try the IP to make things easier to understand in the indexed data. And here are some replies to your answers;
Things would have been a lot easier if the vendor simply added "01" or whatever to the host names of his appliances to make them unique. But what do I know. 😞