Re: Splunk Forwarder to automatically use FQDN as ...

xisteam · ‎12-09-2021

Hi!

How can I configure Splunk Universal Forwarder in Linux to use FQDN - basically the result of hostname -f - as hostname automatically, i.e. without "hard-wiring" the FQDN in any of Splunk's configuration files? If no simple configuration to do this, probably there is a way to do it with a script that triggered every time I start Splunk Forwarder?

I have been using host = $decideOnStartup in inputs.conf, which pick up the hostname of the machine. However for many distro hostname is just the first part of FQDN.

Thank you!

tshah-splunk · ‎12-31-2021

Hi..!!

If you want to use FQDN for the host, you can continue using host = $decideOnStartup in inputs.conf.

Along with this, you'll need to set below config in server.conf

 hostnameOption=fullyqualifiedname

More informations related to hostname can be found in server.conf

---
If you find the answer helpful, an upvote/karma is appreciated

xisteam · ‎03-23-2022

Confirming @mattymo response, unfortunately this does not work, Splunk still only take the short hostname - not FQDN - as hostname.

mattymo · ‎12-31-2021

Looks like `hostnameOption` is Windows only, fyi..

hostnameOption = [ fullyqualifiedname | clustername | shortname ]
* The type of information to use to determine how splunkd sets the 'host' value for a Windows
  Splunk platform instance when you specify an input stanza with 'host = $decideOnStartup'.
* Applies only to Windows hosts, and only for input stanzas that use the
  "host = $decideOnStartup" setting and value.
* Valid values are "fullyqualifiedname", "clustername", and "shortname".
* The value returned for the 'host' field depends on Windows DNS, NETBIOS,
  and what the name of the host is.
  * 'fullyqualifiedname' uses Windows DNS to return the fully qualified host name as the value.
  * 'clustername' also uses Windows DNS, but sets the value to the domain and machine name.
  * 'shortname' returns the NETBIOS name of the machine.
* Cannot be an empty string.
* Default: shortname

- MattyMo

SanjayReddy · ‎01-01-2022

Can we also try with

following option in inputs.conf

[default]
host=<hostnameinfqdn>

xisteam · ‎03-23-2022

Thanks, but unfortunately this does not work, Splunk still only take the short hostname - not FQDN - as hostname.

SanjayReddy · ‎03-23-2022

Hi @xisteam

just for re verification, I have performed same steps in my personal system mentioned earlier reply, I am able to change the host value

under etc/system/local I added follwing

[default]
host=dummy

[monitor://‪C:\Program Files\Splunk\var\log\splunk\splunkd.log]
disabled = false
sourcetype = test
index = main

restarted the splunk

now I am able to updated host name

xisteam · ‎03-24-2022

Sorry, I think you misunderstood my question. I already knew that specifying a hostname explicitly will work. However, I am interested in having the hostname automatically set - either on Splunk startup or machine startup or more often - to the FQDN of the machine at the time. Therefore if I ever change the hostname of the machine - which we do quite often here - the hostname Splunk uses will automatically changed as well. And Splunk actually have solution for MS Windows (use hostnameinfqdn in server.conf as mentioned above), but that does not work in Linux.

xisteam · ‎03-24-2022

I meant using

hostnameOption=fullyqualifiedname

But it won't work in Linux.

SanjayReddy · ‎03-27-2022

Hi @xisteam

try using command

$SPLUNK_HOME$/bin

./splunk set servername <servername>

it will update server name in server.conf

[general]
serverName = Server1

| rest /services/authentication/users splunk_server=local
| dedup splunk_server
| table splunk_server

I hope you are expcting this ?

Splunk Forwarder to automatically use FQDN as hostname, how to configure?

host

universal forwarder

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!