Getting Data In

Why is my server name not displayed as host?

mawomommoh
Path Finder

I have a UF installed on my local machine and I installed a different UF on a server which I remotely connect to. Whenever I forward files from the remote server it works well but instead of the "host" field value showing as the server name, it shows my local machine name instead. I don't know why this is. Since I am forwarding from the server I expected that the host value will be the server name. Am I missing something? Is there a way to make the host value the server name instead of my local machine name?

0 Karma
1 Solution

pradeepkumarg
Influencer

how do you know it is actually the server that is sending the data and not your local machine?

can you check any inputs.conf on the forwarder and look for host value if it has been accidentally set to your local machine ?

You can also run this btool command to check which configuration file is taking precdence that has set the host value

$ ./splunk cmd btool inputs list --debug | grep host

View solution in original post

pradeepkumarg
Influencer

how do you know it is actually the server that is sending the data and not your local machine?

can you check any inputs.conf on the forwarder and look for host value if it has been accidentally set to your local machine ?

You can also run this btool command to check which configuration file is taking precdence that has set the host value

$ ./splunk cmd btool inputs list --debug | grep host

mawomommoh
Path Finder

I know it is the server because I remotely connect to the server (using Remote Desktop Connection) and I create the file I want to be forwarded on the server and then put in the monitored folder. The created file does not showup on my local machine because I am on the server.

I setup a forwarder on the server, and that is how the file gets forwarded to Splunk. Without the forwarder the file won't go to Splunk. That shows that that forwarder is functioning from the server not my machine.

0 Karma

pradeepkumarg
Influencer

can you check any inputs.conf on the forwarder and look for host value if it has been accidentally set to your local machine ?

You can also run this btool command to check which configuration file is taking precdence that has set the host value

$ ./splunk cmd btool inputs list --debug | grep host

0 Karma

mawomommoh
Path Finder

You were right! Host value in inputs.conf was set to my local machine. Thanks!

0 Karma

niketn
Legend

@mawomommoh I have converted @gpradeepkumarreddy 's comment to answer. Please accept the answer to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

pradeepkumarg
Influencer

Thanks, I've updated the answer to be more relevant.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...