Re: Why is splunk indexing two hostnames from one ...

airforceboricua · ‎12-04-2015

Backstory:
I'm running several instances in which they terminate nightly. These instances are automatically re-created in the morning. I have data volumes that are mounted to each instance that contains all of the splunk data. The splunk service is started after the initial boot scripts are ran.

Problem:
AWS provides a hostname by default which is changed with my boot scripts (Usually its something to this effect: 'ip-10-0-0-2'). Once splunk is started logs are being indexed as either the default hostname or the hostname in which my script has changed it to. The logs that are being sent by the default hostname are typically system logs such as syslog and a few others.

Question:
How can I fix this so that all logs are being sent under one hostname preferably the hostname that I have changed it to in my boot scripts?

hortonew · ‎12-04-2015

In $SPLUNK_HOME/etc/system/local there are two files which contain the hostname that Splunk uses when it sends data. You should modify these before going forward.

server.conf

[general]
serverName = <>

inputs.conf

[default]
host = <>

Why is splunk indexing two hostnames from one server?

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Why is splunk indexing two hostnames from one server?

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk