Getting Data In

Why is my server name not displayed as host?

mawomommoh
Path Finder

I have a UF installed on my local machine and I installed a different UF on a server which I remotely connect to. Whenever I forward files from the remote server it works well but instead of the "host" field value showing as the server name, it shows my local machine name instead. I don't know why this is. Since I am forwarding from the server I expected that the host value will be the server name. Am I missing something? Is there a way to make the host value the server name instead of my local machine name?

0 Karma
1 Solution

pradeepkumarg
Influencer

how do you know it is actually the server that is sending the data and not your local machine?

can you check any inputs.conf on the forwarder and look for host value if it has been accidentally set to your local machine ?

You can also run this btool command to check which configuration file is taking precdence that has set the host value

$ ./splunk cmd btool inputs list --debug | grep host

View solution in original post

pradeepkumarg
Influencer

how do you know it is actually the server that is sending the data and not your local machine?

can you check any inputs.conf on the forwarder and look for host value if it has been accidentally set to your local machine ?

You can also run this btool command to check which configuration file is taking precdence that has set the host value

$ ./splunk cmd btool inputs list --debug | grep host

mawomommoh
Path Finder

I know it is the server because I remotely connect to the server (using Remote Desktop Connection) and I create the file I want to be forwarded on the server and then put in the monitored folder. The created file does not showup on my local machine because I am on the server.

I setup a forwarder on the server, and that is how the file gets forwarded to Splunk. Without the forwarder the file won't go to Splunk. That shows that that forwarder is functioning from the server not my machine.

0 Karma

pradeepkumarg
Influencer

can you check any inputs.conf on the forwarder and look for host value if it has been accidentally set to your local machine ?

You can also run this btool command to check which configuration file is taking precdence that has set the host value

$ ./splunk cmd btool inputs list --debug | grep host

0 Karma

mawomommoh
Path Finder

You were right! Host value in inputs.conf was set to my local machine. Thanks!

0 Karma

niketn
Legend

@mawomommoh I have converted @gpradeepkumarreddy 's comment to answer. Please accept the answer to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

pradeepkumarg
Influencer

Thanks, I've updated the answer to be more relevant.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...