Universal Forwarder shows up as both hostname and ...

mikev63 · ‎05-11-2018

How do I only have one entry instead of the hostname and fqdn?

After adding my forwarded to the Splunk environment. I see the forwarded has both hostname and fqdn

skoelpin · ‎05-13-2018

I'm assuming you see the FQDN and hostname under host in the Selected Fields section?

Your forwarder gets the name of the host from outputs.conf on the forwarder. So you should check if your forwarders outputs.conf has both values listed

xpac · ‎05-11-2018

Where do you see that? Forwarder Management? Internal logs?

cpetterborg · ‎05-12-2018

Are they from the same sourcetype? Is some data making it into Splunk from another source (like syslog, etc.). It is unlikely that the hostname and fqdn are coming in from the same UF. It is more likely that there is data from some other source than just the one UF.

pradeepkumarg · ‎05-12-2018

https://answers.splunk.com/answers/642834/why-are-there-multiple-host-entries-for-every-splu.html#an...

kamal2222ahmed · ‎05-11-2018

please paste the result of the following while logged in your source node, where UF is running

hostname -A
hostname -d
hostname -i
hostname -s

And your /etc/hosts file <- do not post this on a public forum... i wouldnt post the above without redacting some number of characters too.

Universal Forwarder shows up as both hostname and fqdn in search engine (Splunk Console)

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?