Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk forwarder restart causing incorrect host name

somesoni2
Revered Legend
‎03-14-2014 06:51 AM

Hi All,

I have few unix machine with Splunk forwarder installed on it. Everything was working fine and I was getting data from that server, say name was "myhost1". Yesterday, due to some reason I had to restart the forwarder. I made no changes to configuration file whatsoever but I restarted logged in as "root". After that all the data coming in has host values as "myhost1-root".

I again restarted the forwarder after few hours and I logged in as another user say mwuser and now host name is coming as "myhost1-mwuser".

Does anyone has faced this issue or provide me some guidance to how to troubleshoot this?
Thanks in advanced.

0 Karma
Reply

I_am_Jeff
Communicator
‎04-14-2014 11:09 AM

Since you mention "root" I'll assume this is a UNIX/Linux implementation. If splunk was originally running as a non-root user, then started as root any new files will be owned by root and possibly not readable or changeable by others. If you go back to the non-root user, various strange things will happen as various files will be unreadable or unchangeable. Check the file ownerships.

0 Karma
Reply

somesoni2
Revered Legend
‎03-14-2014 08:55 AM

Thanks for your quick response. Logically, it should be the same issue as mentioned in the post (server.conf still has $HOSTNAME-$USERNAME). I have requested copy of server.conf from this server, waiting for it to confirm.

0 Karma
Reply

gnovak
Builder
‎03-14-2014 07:29 AM

When you installed the forwarder, did you specify the server to use by running:

./splunk add forward-server <servername>:9997 -auth <username>:<password>

? This is very strange...Never heard of this before but I'm checking out the post from before.

0 Karma
Reply

lukejadamec
Super Champion
‎03-14-2014 07:21 AM

I've never seen it, but someone has:
http://answers.splunk.com/answers/12662/universal-forwarder-adds-root-to-servername

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...