How can I configure Splunk Universal Forwarder in Linux to use FQDN - basically the result of hostname -f - as hostname automatically, i.e. without "hard-wiring" the FQDN in any of Splunk's configuration files? If no simple configuration to do this, probably there is a way to do it with a script that triggered every time I start Splunk Forwarder?
I have been using host = $decideOnStartup in inputs.conf, which pick up the hostname of the machine. However for many distro hostname is just the first part of FQDN.
If you want to use FQDN for the host, you can continue using host = $decideOnStartup in inputs.conf.
Along with this, you'll need to set below config in server.conf
More informations related to hostname can be found in server.conf
Confirming @mattymo response, unfortunately this does not work, Splunk still only take the short hostname - not FQDN - as hostname.
Looks like `hostnameOption` is Windows only, fyi..
hostnameOption = [ fullyqualifiedname | clustername | shortname ] * The type of information to use to determine how splunkd sets the 'host' value for a Windows Splunk platform instance when you specify an input stanza with 'host = $decideOnStartup'. * Applies only to Windows hosts, and only for input stanzas that use the "host = $decideOnStartup" setting and value. * Valid values are "fullyqualifiedname", "clustername", and "shortname". * The value returned for the 'host' field depends on Windows DNS, NETBIOS, and what the name of the host is. * 'fullyqualifiedname' uses Windows DNS to return the fully qualified host name as the value. * 'clustername' also uses Windows DNS, but sets the value to the domain and machine name. * 'shortname' returns the NETBIOS name of the machine. * Cannot be an empty string. * Default: shortname
Can we also try with
following option in inputs.conf
Thanks, but unfortunately this does not work, Splunk still only take the short hostname - not FQDN - as hostname.
just for re verification, I have performed same steps in my personal system mentioned earlier reply, I am able to change the host value
under etc/system/local I added follwing
disabled = false
sourcetype = test
index = main
restarted the splunk
now I am able to updated host name
Sorry, I think you misunderstood my question. I already knew that specifying a hostname explicitly will work. However, I am interested in having the hostname automatically set - either on Splunk startup or machine startup or more often - to the FQDN of the machine at the time. Therefore if I ever change the hostname of the machine - which we do quite often here - the hostname Splunk uses will automatically changed as well. And Splunk actually have solution for MS Windows (use hostnameinfqdn in server.conf as mentioned above), but that does not work in Linux.
I meant using
But it won't work in Linux.
try using command
./splunk set servername <servername>
it will update server name in server.conf
serverName = Server1
| rest /services/authentication/users splunk_server=local
| dedup splunk_server
| table splunk_server
I hope you are expcting this ?