We are installing splunk universal forwarder in all of our servers. It seems to be working fine, however there are multiple entries of each universal forwarder (fqdn and short name)
test.example.com (entry 1)
I have verified that in the server.conf, the serverName entry is present.
serverName = test.example.com
pass4SymmKey = TEST
Can you share on what would be the right way to fix this issue ?
I've seen this usually with syslog (/var/log/syslog)
Syslog is a pre trained sourcetype and extracts the host from within the log itself and if the log has the hostname without FQDN, you see that.
Check the sourcetypes for each of those host entry |tstats count WHERE host=test* by host,sourcetype | stats values(sourcetype) by host
You will see your problematic sourcetype that is causing the host value without FQDN.