I have a few windows machines Light Forwarding in to a central indexer, sending just WinEventLogs for now. For most hosts, its events' ComputerName is the same as the host field. For a couple, it's not.
It's causing confusion as server A, which shows up at ComputerName A in its events, comes through with a host field of B, the name of a different existing server not currently running a Splunk forwarder.
Where does Splunk on Windows get its host: field from, and can it be explicitly be overridden?
Hi, super long shot, but was a solution ever found to this? We seem to be having this issue right now. Last week all the host fields were parsed to include the domain part, this week they are back to being hostname only.
I've compared 2 logs from the same host, with the same event ID. The only difference I can see in the logs is that dvc_nt_host is different between the 2, while dvc is the fqdn on both. Which is super off because this line is in the props.conf of the Windows TA app
FIELDALIAS-dvc = host as dvc, host as dvc_nt_host
Cloning is not in play with the systems I was having trouble with. I have seen (as I mentioned here: http://splunk-base.splunk.com/answers/28879/host-value-for-windows)
COMPUTER NAME (all upper case, not fqdn)
computer name (all lower case, not fqdn)
computer.domain.com.au (the value I actually want, canonical DNS fqdn)
computer.windows-domain.com.au (derived from AD info if present)
It usually highly improbable that Splunk implementers get to rename windows boxes as they see fit, and there's no built in way to normalise the hostname so this results in endless hacking to sort out.
We have seen this happen when a system is renamed or cloned AFTER the Splunk forwarder is installed. The Splunk files are not updated with the new name.
You can remove and re-install the forwarder or update the $SPLUNK_HOME\etc\system\local files with the proper hostname.
The trouble is, tracking down those hosts in an efficient manner.
I've been affected by and tracking this issue for more than a year. There doesn't seem to be any good answer (this isn't one either I'm afraid), and windows hosts seem to return an essentially random host value based on the computer name somehow :-).
Can we please have a proper solution to this in the windows app, which allows the user at setup-time to require ALL events to be indexed with either FQDN or computer name, or at any rate ONE VALUE PER COMPUTER. I've seen 'solutions' which range from hard-coding the name in inputs.conf (which isn't available with WMI anyway), messing around with props and transforms, to rewriting the data at index time. In my experience, Splunk admins can't control how a given windows box has been setup, so we must have a way to work around this reliably and consistently. Many shops, and nearly all the larger ones, are multiplatform, and it's high time that the windows and unix apps behaved the same way. Even in an all-windows site, you will see interesting variations on the hostname, which make searches and UI elements needlessly painful to construct.
Certainly submit an Enhancement Request (P4 bug) if not a higher priority bug so Splunk can track requests for this. I have seen these issues at many clients.
Any traction on the Enhancement Request? Just curious. Thanks.
Yes, inputs.conf can and will affect it. See Ledio's post below.
I cant tell why it switches from one host to another though.. You are not grabbing event logs from CPNameB through WMI or anything else, are you?
The Host field in events coming from Windows Event Logs is set by the value in "ComputerName" field. To overwrite this, set the value of the Host field in etc\apps\windows\local\inputs.conf You can set it globally under the [default] stanza, or you can set it individually for each Event Log channel:
[WinEventLog:Application]
host = host.ad.com
...
If logs are collected via WMI (not likely in the case of LWF), the host will be set to the value of the ComputerName field.
A Splunk server (including a forwarder) will always have the default "host" value set in $SPLUNK_HOME\etc\system\local\inputs.conf
by first-time run. The value is set to the result of the hostname
command run on the machine at that time. This can be changed or overridden in another inputs.conf globally or by stanza, but unless this is done, WinEventLogs will end up using this value.
Not currently, due to other things happening on the server right now. Probably later.
Would this be affected by inputs.conf? This had the same splunk install package installed on it as other servers which are correctly reporting their ComputerName as host.
can you show us your monitor stanzas in inputs.conf?