Getting Data In

Windows Vs Linux - host and serverName variable in system/local/ (host in searches)

Joffer
Path Finder

I'm getting frustrated with one server ending up in my index with both "hostname" and "hostname.domainname" depending on the indexed data.

I've found a post talking about tagging (http://answers.splunk.com/questions/456/how-do-i-hard-code-the-fqdn-as-the-host-attribute-and-how-do-i-move-all-the-ol) which pointed to a doc page (http://www.splunk.com/base/Documentation/4.1/Knowledge/Tagthehostfield).

I don't have splunk up and running in production as I'm still in an evaluation/test phase - in my test environment I keep testing and reinstalling/cleaning the indexes if nessecary, so I'm trying to get this right from scratch/the start...

All servers in my testenvironment run SplunkLightForwarders. The only unit using syslog (for now) is my firewall that sends all logs to my splunk indexer/receiver on port 514/udp.

Questions:

1) When splunk (4.1.3, then been upgraded to 4.1.4) is installed on Linux, $SPLUNK_HOME/etc/system/local/inputs.conf and server.conf inserts the full servername including the domain (hostname.domain). On Windows, only hostname is set in these variables. Why? I need/want the full name, not only a simple hostname. I changed the variables on a windows server to be a full name with hostname and domain in the two config files and added a file monitor to a file on that server and on one of the other. The one I edited put the full name as host while the other server just gave me hostname. Thats why I'm wondering why splunk inserts different in Windows and Linux (hostname Vs hostname.domain).

2) Lets say I've got splunk running with data I don't want to loose. Is it possible to change the host value for those who only have "hostname", perhaps with reindexing? Or is tagging the only way to get the right search result (tagging hostname host values with hostname.domain)?

Tags (4)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

1) Splunk just calls the hostname command and inserts whatever the machine returns. The result depends on how your machines are configured. The value depends on how the machine happens to be configured. It doesn't depend on platform. I have seen Windows machines (in the same domain) may work both ways, but I don't know what specifically in the configuration makes them return on vs the other.

2) Re-indexing is the best option if it is an available option for you.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

1) Splunk just calls the hostname command and inserts whatever the machine returns. The result depends on how your machines are configured. The value depends on how the machine happens to be configured. It doesn't depend on platform. I have seen Windows machines (in the same domain) may work both ways, but I don't know what specifically in the configuration makes them return on vs the other.

2) Re-indexing is the best option if it is an available option for you.

Joffer
Path Finder

according to your answer to 2) - do you have some good links for doc/webpages on how to change the host variable and do a reindexing?

By reindexing you mean change the variable(s) on the splunk indexer and then reindex the data, or is it something else?

Sorry if it's a noob question, but still just at the beginning of my splunk self-education and want to get things right 🙂

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...