Getting Data In

Override hostname to FQDN in etc/system/local/inputs.conf on Windows Forwarder v6.5

kltest
Explorer

Hello,

I need to set Windows forwarders to use the FQDN as the hostname across all inputs, as I have duplicate hostnames in my environment. I've tried changing everything in a Splunk deployment app, but the only thing that seems to work is if I manually correct the entry in C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf from hostname to FQDN.
From:
[default]
host = svr-vCenter

To:
[default]
host = svr-vCenter.domain.local

The changes that I've made in the deployment app have meant that the splunkd.log reports the name correctly:
10-08-2016 16:46:59.063 +0100 INFO ServerConfig - Host name option is "fullyqualifiedname".
10-08-2016 16:46:59.063 +0100 INFO ServerConfig - My hostname is "svr-vCenter.domain.local".

But anything sent to the Splunk indexer shows up as the shortname and the FQDN gets ignored unless I change the file above.

Is there any way I can automatically set this during install or afterwards in Splunk other than manually changing the contents of the file? What am I missing as this is driving me nuts!

Thanks,

Andy

Tags (1)

TonyLeeVT
Builder

Were you able to discover a graceful solution? I am also having this issue. Quite frustrating that it does not default to the FQDN. Thanks.

0 Karma

ddrillic
Ultra Champion

The funny thing is that when we deploy the apps via the deployment server, we specify the servers in the serverclass.conf and we specify them using FQDN. So, why does the software determine the host name by itself after discovering it via set-up in serverclass.conf? which leads to these very annoying discrepancies.

So, it would be nice if there was a way to carry the name from the serverclass.conf to inputs.conf of the forwarder. It's true that sometimes, we specify a set of hosts in serverclass.confusing wildcards, which might make the transition more complex.

0 Karma

rjthibod
Champion

Check server.conf in the same local folder. I think there is a hostname setting in there.

Regarding how to handle this across multiple installs, the Splunk forwarder will set the hostname at the time of install if you it is a fresh install. if you are copying system images that already contain the Splunk forwarder, you need to run an additional command to clear out the host-specific information. The command is ./splunk clone-prep-clear-config. If you are using this on a already cloned system, run that command and then restart the Splunk forwarder service. It should update its values upon restart.

Here are more detailed instructions about replicating Forwarder installation across multiple guests. http://docs.splunk.com/Documentation/Splunk/latest/Admin/Integrateauniversalforwarderontoasystemimag...

0 Karma

kltest
Explorer

Thanks rjthibod, but I know that if I change the inputs.conf on each forwarder that it fixes the issue. If I have to do this manually it's going to take a long time to login to each and every server to make the change.

How can I accomplish this from the Splunk server without making changes directly on the forwarder?

0 Karma

rjthibod
Champion

Apologies for being slightly redundant.

As far as doing it from the Splunk server, the only thing I can think of that will change the files on the servers would be a custom deployment app.

From the Splunk Forwarder Management (Deployment Server), you would send an app to each forwarder. That app would just be a batch file or Powershell script that edits the file in the manner you require. I am pretty sure the app runs with the permissions allocated to the forwarder, so potential access control concerns issues could arise if the app doesn't run with system-level admin privileges needed to edit the configuration file.

Other than that, you could write a powershell script to perform remote commands on each server. That would be an exercise outside of Splunk (as you very well know).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...