I'm getting frustrated with one server ending up in my index with both "hostname" and "hostname.domainname" depending on the indexed data.
I've found a post talking about tagging (http://answers.splunk.com/questions/456/how-do-i-hard-code-the-fqdn-as-the-host-attribute-and-how-do-i-move-all-the-ol) which pointed to a doc page (http://www.splunk.com/base/Documentation/4.1/Knowledge/Tagthehostfield).
I don't have splunk up and running in production as I'm still in an evaluation/test phase - in my test environment I keep testing and reinstalling/cleaning the indexes if nessecary, so I'm trying to get this right from scratch/the start...
All servers in my testenvironment run SplunkLightForwarders. The only unit using syslog (for now) is my firewall that sends all logs to my splunk indexer/receiver on port 514/udp.
1) When splunk (4.1.3, then been upgraded to 4.1.4) is installed on Linux, $SPLUNK_HOME/etc/system/local/inputs.conf and server.conf inserts the full servername including the domain (hostname.domain). On Windows, only hostname is set in these variables. Why? I need/want the full name, not only a simple hostname. I changed the variables on a windows server to be a full name with hostname and domain in the two config files and added a file monitor to a file on that server and on one of the other. The one I edited put the full name as host while the other server just gave me hostname. Thats why I'm wondering why splunk inserts different in Windows and Linux (hostname Vs hostname.domain).
2) Lets say I've got splunk running with data I don't want to loose. Is it possible to change the host value for those who only have "hostname", perhaps with reindexing? Or is tagging the only way to get the right search result (tagging hostname host values with hostname.domain)?
1) Splunk just calls the
hostname command and inserts whatever the machine returns. The result depends on how your machines are configured. The value depends on how the machine happens to be configured. It doesn't depend on platform. I have seen Windows machines (in the same domain) may work both ways, but I don't know what specifically in the configuration makes them return on vs the other.
2) Re-indexing is the best option if it is an available option for you.
according to your answer to 2) - do you have some good links for doc/webpages on how to change the host variable and do a reindexing?
By reindexing you mean change the variable(s) on the splunk indexer and then reindex the data, or is it something else?
Sorry if it's a noob question, but still just at the beginning of my splunk self-education and want to get things right 🙂