Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk forwarder restart causing incorrect host name

somesoni2
Revered Legend
‎03-14-2014 06:51 AM

Hi All,

I have few unix machine with Splunk forwarder installed on it. Everything was working fine and I was getting data from that server, say name was "myhost1". Yesterday, due to some reason I had to restart the forwarder. I made no changes to configuration file whatsoever but I restarted logged in as "root". After that all the data coming in has host values as "myhost1-root".

I again restarted the forwarder after few hours and I logged in as another user say mwuser and now host name is coming as "myhost1-mwuser".

Does anyone has faced this issue or provide me some guidance to how to troubleshoot this?
Thanks in advanced.

0 Karma
Reply

I_am_Jeff
Communicator
‎04-14-2014 11:09 AM

Since you mention "root" I'll assume this is a UNIX/Linux implementation. If splunk was originally running as a non-root user, then started as root any new files will be owned by root and possibly not readable or changeable by others. If you go back to the non-root user, various strange things will happen as various files will be unreadable or unchangeable. Check the file ownerships.

0 Karma
Reply

somesoni2
Revered Legend
‎03-14-2014 08:55 AM

Thanks for your quick response. Logically, it should be the same issue as mentioned in the post (server.conf still has $HOSTNAME-$USERNAME). I have requested copy of server.conf from this server, waiting for it to confirm.

0 Karma
Reply

gnovak
Builder
‎03-14-2014 07:29 AM

When you installed the forwarder, did you specify the server to use by running:

./splunk add forward-server <servername>:9997 -auth <username>:<password>

? This is very strange...Never heard of this before but I'm checking out the post from before.

0 Karma
Reply

lukejadamec
Super Champion
‎03-14-2014 07:21 AM

I've never seen it, but someone has:
http://answers.splunk.com/answers/12662/universal-forwarder-adds-root-to-servername

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...