Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows Universal forwarder shows 2 host names for the same server

neerajshah81
Path Finder
‎07-12-2018 12:16 PM

Hello, We have a single instance splunk deployment. I have installed Universal Forwarder on an Win 2012 R2 Active Directory DC. Upon checking / searching for the events in Splunk Search UI, i noticed it shows 2 different host names for the same DC server. Screenshot below. How to resolve this ? If i click on the 1st host "LAN-AD', it shows events related to CPU, Memory monitoring whereas if i click on the other one, this shows events related to Security Events, Application Event log etc.

alt text

Preview file
21 KB
0 Karma
Reply

ddrillic
Ultra Champion
‎07-13-2018 09:14 AM

Interesting - what does $SPLUNK_HOME/etc/system/local/inputs.conf say on the forwarder? It should have the following - 

[default]
host = <host_name>
Reply

neerajshah81
Path Finder
‎07-17-2018 09:02 AM

Thank you Ddrillic. Earlier I was looking at a different inputs.conf ( in a different folder).

0 Karma
Reply

neerajshah81
Path Finder
‎07-13-2018 07:35 AM

Hi, i followed that link but don't see the solution mentioned. I have checked my server.conf and inputs.conf file on my Universal Forwarder. Both do not have any [servername] attribute defined. Where is the UF getting the 2 server names from ?

0 Karma
Reply

pradeepkumarg
Influencer
‎07-16-2018 10:09 AM

Check the other answer.. I've copy pasted below.

I've seen this usually with syslog (/var/log/syslog)

Syslog is a pre trained sourcetype and extracts the host from within the log itself and if the log has the hostname without FQDN, you see that.

Check the sourcetypes for each of those host entry |tstats count WHERE host=test* by host,sourcetype | stats values(sourcetype) by host

You will see your problematic sourcetype that is causing the host value without FQDN.

0 Karma
Reply

neerajshah81
Path Finder
‎07-17-2018 09:03 AM

Hi Pradeep, Thanks. Earlier I was looking at a different inputs.conf ( in a different folder) and so the confusion. After correcting the "correct" inputs.conf , i am all set.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...