- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Universal forwarder adds -root to servername?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Universal forwarder adds -root to servername?
As I don't know if this is a bug or intended I'll try to see if anyone know.
When doing a new install of the universal forwarder the servername adds a -root for some specific reason.
[root@splunktest opt]# rpm -i splunkforwarder-4.2-96430-linux-2.6-x86_64.rpm
[root@splunktest opt]# /opt/splunkforwarder/bin/splunk start --accept-license
[root@splunktest opt]# /opt/splunkforwarder/bin/splunk show servername
Server name: splunktest.domain.com*-root*
Looks kinda weird since all my old 4.1.7 forwarders don't append -root to their servernames.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, no answer, just want to add the fact this is a problem in certain environments where a deployment server is used as it should be to deploy clients. We initially deployed manually (no deployment server) and would remove the [default] host = computer name from the /etc/local/inputs.conf. This resulted in the host name being the FQDN...perfect. Now we are trying to migrate to the new Universal Forwarders using a deployment server, a test run on one host worked great with the exception that it now has a capitalized computer name in Splunk...so now I have two host names for the same box. I understand I can put [default] host = fqdn in the inputs.conf, but that defeats the purpose of a deployment server, I basically need an entry for every device (>300) in my serverclass.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As Josh said, Splunk will default to hostname-username if serverName is not set in server.conf. The difference in 4.2 is that Splunk now doesn't query hostname on first boot (to set this variable to just the hostname) like 4.1.x did. Look in etc/system/local/server.conf.
As a result, any server upgraded from 4.1.x will have just its hostname, any new install of 4.2.x will default to hostname-username.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The variable in etc/system/default/server.conf has always been $HOSTNAME-$USERNAME or whatever like that.
Usually this has never mattered, because it got set to servername in install in so-called "first time run.
However, there was a goal to do mass rollouts of the Universal Forwarder with no config tweaks at all, pre-installed etc, so you are now seeing these variable expansions take place.
I was never sure of the goal of having $USER in there. I suspect it was for development purposes at HQ. If it causes any operational difficulties/annoyances we should get a bug or at least a ticket filed to discuss.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Note: the same on Solaris10 x86
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
