Why is Splunk showing wrong hostname?

sarashafek · ‎04-19-2023

Hi,

I have a zscaler NSS connected to splunk. I've been running some tests to see how splunk reacts to change in DNS entries.
It seems that the hostname isnt changed in splunk. Can anyone help me on this? DNS splunk 1.PNG DNS splunk 2.PNG

nssem1.clab.group is the old name.

Thanks!

woodcock · ‎04-20-2023

Your best bet is to use the IP and then do DNS lookup at search time with:
... | lookup dnslookup clientip AS host ...

richgalloway · ‎04-20-2023

Splunk doesn't necessarily get its hostname from DNS. It can be hardcoded in inputs.conf (host=foo) or server.conf (serverName=foo). There's also the hostnameOption in server.conf which determines if DNS is consulted, but only applies on Windows.

---
If this reply helps you, Karma would be appreciated.

isoutamo · ‎04-20-2023

It could also define so that when UF process start, it determine what is hostname at this time. Then it could be almost anything from localhost to fqdn. Actually splunk knowns hosts by GUID not by hostname.

Why is Splunk showing wrong hostname?

indexer

universal forwarder

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Are you a member of the Splunk Community?

Why is Splunk showing wrong hostname?

indexer

universal forwarder

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...