Getting Data In
Highlighted

Why are there multiple host entries for every Splunk forwarder?

Explorer

Hi

We are installing splunk universal forwarder in all of our servers. It seems to be working fine, however there are multiple entries of each universal forwarder (fqdn and short name)

For example:

test.example.com (entry 1)
test (entry2)

I have verified that in the server.conf, the serverName entry is present.

[general]
serverName = test.example.com
pass4SymmKey = TEST

Can you share on what would be the right way to fix this issue ?

Highlighted

Re: Why are there multiple host entries for every Splunk forwarder?

SplunkTrust
SplunkTrust

Check the inputs.conf as well for host attribute.

0 Karma
Highlighted

Re: Why are there multiple host entries for every Splunk forwarder?

Influencer

I've seen this usually with syslog (/var/log/syslog)

Syslog is a pre trained sourcetype and extracts the host from within the log itself and if the log has the hostname without FQDN, you see that.

Check the sourcetypes for each of those host entry |tstats count WHERE host=test* by host,sourcetype | stats values(sourcetype) by host

You will see your problematic sourcetype that is causing the host value without FQDN.

Highlighted

Re: Why are there multiple host entries for every Splunk forwarder?

Esteemed Legend

Read this carefully, including the clone-prep-clear-config command:
http://docs.splunk.com/Documentation/Forwarder/7.0.3/Forwarder/Makeauniversalforwarderpartofahostima...

0 Karma