Solved: Re: How to override the forwarder host names for 3...

OldManEd · ‎02-24-2015

I have a couple of 3rd party appliances/servers that have the same server name. I tried to set up a forwarder on these puppies but the fact that they have the same hostname makes things hard. I tried to address the issue in the "inputs.conf" file by changing the following;

[default]
host = somedifferentname01

And it worked for some of the indexed data, but not all. I see index data attributed to both names from the same server.

When I looked at the "server.conf" file I saw the following;

[general]
serverName = originalDuplicateServerName

My questions are:

Does the "host" attribute under the "default" stanza in the "inputs.conf" file override the actual server name?
If I want to override the name, do I have to update the "serverName" attribute in the "server.conf" file?
Can I just override the "host" and "serverName" attributes with the IP address to make things cleaner?

Thanks in advance for any help sent this way.

OldManEd · ‎03-10-2015

After working with Splunk support, here is what happened. In the inputs.conf file where I describe the data files to be forwarded, I did not have a "sourcetype = xxxxxxx" entry. Some of the files I was forwarding were identified as syslog files by the indexer. Syslog files take the name of the sending server from the raw data in the event string over anything else. When I added a sourcetype entry, the host name override worked.

View solution in original post

OldManEd · ‎03-10-2015

After working with Splunk support, here is what happened. In the inputs.conf file where I describe the data files to be forwarded, I did not have a "sourcetype = xxxxxxx" entry. Some of the files I was forwarding were identified as syslog files by the indexer. Syslog files take the name of the sending server from the raw data in the event string over anything else. When I added a sourcetype entry, the host name override worked.

somesoni2 · ‎02-24-2015

You would have to update the server.conf in order to change the host name. You can use IP or any other string value.

This update will change the server name from any data that will get indexed after the change. Older/already indexed data will not get changed.

If data for this forwarder have its own sourcetype than you can create a calculated field with your choice of name so that host can be changed for all events.

OldManEd · ‎02-25-2015

Well, I set the "host" attribute in the "inputs.conf" file and the "serverName" in the "server.conf" file for all servers I'm working on to their respective IP address. Only 1 is sending data with the "host" as the IP address. The rest are using the vendor's original hostname that's the same for all. Any idea's on what I forgot to flush out?

Simeon · ‎02-24-2015

1 - it should only set the "host" value for what is indexed
2 - Unclear what you want to override - the server.conf servername is for the non-indexing applications
3 - Yes you can use IP addresses

OldManEd · ‎02-24-2015

Thanks for these answers. I will try the IP to make things easier to understand in the indexed data. And here are some replies to your answers;

That's what I thought. But for some reason I was getting indexed data returned from a search attributed to data from the actual host name and the name I changed it to. That was confusing.
I didn't know this. I was thinking that the servername in the server.conf file that was still pointing to the original name, was overriding the "host" attribute that I updated in the inputs.conf file somehow.
I'll change the "host" entry to the IP to see if that cleans things up.

Things would have been a lot easier if the vendor simply added "01" or whatever to the host names of his appliances to make them unique. But what do I know. 😞

How to override the forwarder host names for 3rd party servers that share the same server name?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!