- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to change hostname for the splunk windows universal forwarder?
I have installed splunk and added windows systems to splunk through universal forwarder, but I have a problem with default system names, these names confusing me when I check their status, I want to consider alias name or rename hostname so that I diagnose system with it's name in search.
For example, I want to change hostname "WIN-KLV1NNUJO8P" to "mydashboard" .
Please help me, I can't find answer for this problem and solutions that I found in the internet not working 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As you are talking about windows, it might be more complicated than that.
By default TA_windows contains tranforms which extract the host field from the event itself so even if you set it to something in the UF's configuration, it will be overwritten by the value of ComputerName of Computer field from the event. (and that makes sense because often windows event are not generated on the host they are being ingested from - WEF is a commonly used mechanism to forward events within a windows environment to a single collector node from which it is pulled by UF).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @chakavak,
you could manually rename hostaname in $SPLUNK_HOME\etc\system\local\server.conf and $SPLUNK_HOME\etc\system\local\inputs.conf of your forwarder to have thes values in your logs.
Otherwise, you could rename it with a calculated field at search time.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excuse me, can you tell me how to use calculated field for renaming host (for example change "WIN-KLV1NNUJO8P" to "mydashboard"? I'm new to splunk and learning😅
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gcusello
Thank you for your reply, I changed the hostname in server.conf, but in forwarder inputs.conf not there in the mentioned path, I have outputs.conf!!!!
It also doesn't work when I just change the server.conf file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @chakavak,
outputs.con must not be changed!
did you restarted Splunk on the UF after change?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I restarted the SplunkForwarder service
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[general]
serverName = mydashboard
pass4SymmKey = $7$Jte1qcrLi+3xY2ipx1brJChXbKmr+9ZYKthpA0Edywk92IjolIKAEg==
[sslConfig]
sslPassword = $7$+6pIzsRauFB5hevEHOxTpjcV3OW9bakXS9oFXZYydFHaX98N1irSjg==
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
peers = *
quota = MAX
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
peers = *
quota = MAX
stack_id = free
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @chakavak,
it's correct and it should be sufficient.
Anyway, please add in $SPLUNK_HOME\etc\system\local the inpus.conf file containing the following stanza:
[default]
host = mydashboardand restart Splunk on the Universal Forwarder.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @gcusello
I tried this solution, but it didn't work🙁 I think Splunk reads the computer name from another file that has a higher priority 🤔
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @chakavak,
maybe there's another server.conf, please try:
cd \Program Files\splunkuniversalforwarder\bin
splunk btool server list --debug > my_server.txtand search in my_server.txt if there's another "hostname" parameter in another server.conf file.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found a serverName = $COMPUTERNAME in the path blow:
\Peogrm Files\splunkuniversalforwarder\etc\system\default \server.conf
I changed this parameter and also added [default] host = mydashboard in config file , it didn't work😕
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @chakavak,
the default folder has a minor priority than local and you cannot modify it.
[default] host = mydashboard must be inserted in inputs.conf not in server.conf.
Open a case to Splunk Support for behavior non aligned with documentation, sending them a diag from that UF.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gcusello
OK. Thanks for your advice.
