Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to change hostname for the splunk windows universal forwarder?

chakavak
Loves-to-Learn Lots
‎01-29-2024 10:43 PM

I have installed splunk and added windows systems to splunk through universal forwarder, but I have a problem with default system names, these names confusing me when I check their status, I want to consider alias name or rename hostname so that I diagnose system with it's name in search. 

For example, I want to change hostname "WIN-KLV1NNUJO8P" to "mydashboard" .

Please help me, I can't find answer for this problem and solutions that I found in the internet not working 😞

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-04-2024 05:23 AM

As you are talking about windows, it might be more complicated than that.

By default TA_windows contains tranforms which extract the host field from the event itself so even if you set it to something in the UF's configuration, it will be overwritten by the value of ComputerName of Computer field from the event. (and that makes sense because often windows event are not generated on the host they are being ingested from - WEF is a commonly used mechanism to forward events within a windows environment to a single collector node from which it is pulled by UF).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-29-2024 10:46 PM

Hi @chakavak,

you could manually rename hostaname in $SPLUNK_HOME\etc\system\local\server.conf and $SPLUNK_HOME\etc\system\local\inputs.conf of your forwarder to have thes values in your logs.

Otherwise, you could rename it with a calculated field at search time.

Ciao.

Giuseppe

0 Karma
Reply

chakavak
Loves-to-Learn Lots
‎01-30-2024 12:31 AM

Excuse me, can you tell me how to use calculated field for renaming host (for example change "WIN-KLV1NNUJO8P" to "mydashboard"? I'm new to splunk and learning😅

0 Karma
Reply

chakavak
Loves-to-Learn Lots
‎01-29-2024 10:57 PM

Hi @gcusello

Thank you for your reply, I changed the hostname in server.conf, but in forwarder inputs.conf not there in the mentioned path, I have outputs.conf!!!!

It also doesn't work when I just change the server.conf file. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-29-2024 11:25 PM

Hi @chakavak,

outputs.con must not be changed!

did you restarted Splunk on the UF after change?

Ciao.

Giuseppe

0 Karma
Reply

chakavak
Loves-to-Learn Lots
‎01-29-2024 11:37 PM

Yes, I restarted the SplunkForwarder service

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-30-2024 12:38 AM

Hi @chakavak ,

could you share your $SPLUNK_HOME\etc/system\local\server.conf ?

Ciao.

Giuseppe

0 Karma
Reply

chakavak
Loves-to-Learn Lots
‎01-30-2024 12:50 AM

[general]

serverName = mydashboard

pass4SymmKey = $7$Jte1qcrLi+3xY2ipx1brJChXbKmr+9ZYKthpA0Edywk92IjolIKAEg==

[sslConfig]

sslPassword = $7$+6pIzsRauFB5hevEHOxTpjcV3OW9bakXS9oFXZYydFHaX98N1irSjg==

[lmpool:auto_generated_pool_forwarder]

description = auto_generated_pool_forwarder

peers = *

quota = MAX

stack_id = forwarder

[lmpool:auto_generated_pool_free]

description = auto_generated_pool_free

peers = *

quota = MAX

stack_id = free

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-30-2024 01:09 AM

Hi @chakavak,

it's correct and it should be sufficient.

Anyway, please add in $SPLUNK_HOME\etc\system\local the inpus.conf file containing the following stanza:

[default]
host = mydashboard

and restart Splunk on the Universal Forwarder.

Ciao.

Giuseppe

0 Karma
Reply

chakavak
Loves-to-Learn Lots
‎01-30-2024 08:54 PM

Thank you @gcusello

I tried this solution, but it didn't work🙁 I think Splunk reads the computer name from another file that has a higher priority 🤔

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-30-2024 10:29 PM

Hi @chakavak,

maybe there's another server.conf, please try:

cd \Program Files\splunkuniversalforwarder\bin
splunk btool server list --debug > my_server.txt

and search in my_server.txt if there's another "hostname" parameter in another server.conf file.

Ciao.

Giuseppe

0 Karma
Reply

chakavak
Loves-to-Learn Lots
‎01-31-2024 01:01 AM

I found a serverName = $COMPUTERNAME in the path blow:

\Peogrm Files\splunkuniversalforwarder\etc\system\default \server.conf 

I changed this parameter and also added [default] host = mydashboard in config file , it didn't work😕

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-31-2024 01:18 AM

Hi @chakavak,

the default folder has a minor priority than local and you cannot modify it.

[default] host = mydashboard must be inserted in inputs.conf not in server.conf.

Open a case to Splunk Support for behavior non aligned with documentation, sending them a diag from that UF.

Ciao.

Giuseppe

0 Karma
Reply

chakavak
Loves-to-Learn Lots
‎02-02-2024 09:09 PM

Hi @gcusello

OK. Thanks for your advice. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top