Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk forwarder restart causing incorrect host name

somesoni2
Revered Legend
‎03-14-2014 06:51 AM

Hi All,

I have few unix machine with Splunk forwarder installed on it. Everything was working fine and I was getting data from that server, say name was "myhost1". Yesterday, due to some reason I had to restart the forwarder. I made no changes to configuration file whatsoever but I restarted logged in as "root". After that all the data coming in has host values as "myhost1-root".

I again restarted the forwarder after few hours and I logged in as another user say mwuser and now host name is coming as "myhost1-mwuser".

Does anyone has faced this issue or provide me some guidance to how to troubleshoot this?
Thanks in advanced.

0 Karma
Reply

I_am_Jeff
Communicator
‎04-14-2014 11:09 AM

Since you mention "root" I'll assume this is a UNIX/Linux implementation. If splunk was originally running as a non-root user, then started as root any new files will be owned by root and possibly not readable or changeable by others. If you go back to the non-root user, various strange things will happen as various files will be unreadable or unchangeable. Check the file ownerships.

0 Karma
Reply

somesoni2
Revered Legend
‎03-14-2014 08:55 AM

Thanks for your quick response. Logically, it should be the same issue as mentioned in the post (server.conf still has $HOSTNAME-$USERNAME). I have requested copy of server.conf from this server, waiting for it to confirm.

0 Karma
Reply

gnovak
Builder
‎03-14-2014 07:29 AM

When you installed the forwarder, did you specify the server to use by running:

./splunk add forward-server <servername>:9997 -auth <username>:<password>

? This is very strange...Never heard of this before but I'm checking out the post from before.

0 Karma
Reply

lukejadamec
Super Champion
‎03-14-2014 07:21 AM

I've never seen it, but someone has:
http://answers.splunk.com/answers/12662/universal-forwarder-adds-root-to-servername

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...