Re: Why is splunk indexing two hostnames from one ...

airforceboricua · ‎12-04-2015

Backstory:
I'm running several instances in which they terminate nightly. These instances are automatically re-created in the morning. I have data volumes that are mounted to each instance that contains all of the splunk data. The splunk service is started after the initial boot scripts are ran.

Problem:
AWS provides a hostname by default which is changed with my boot scripts (Usually its something to this effect: 'ip-10-0-0-2'). Once splunk is started logs are being indexed as either the default hostname or the hostname in which my script has changed it to. The logs that are being sent by the default hostname are typically system logs such as syslog and a few others.

Question:
How can I fix this so that all logs are being sent under one hostname preferably the hostname that I have changed it to in my boot scripts?

hortonew · ‎12-04-2015

In $SPLUNK_HOME/etc/system/local there are two files which contain the hostname that Splunk uses when it sends data. You should modify these before going forward.

server.conf

[general]
serverName = <>

inputs.conf

[default]
host = <>

Why is splunk indexing two hostnames from one server?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation