As I don't know if this is a bug or intended I'll try to see if anyone know.
When doing a new install of the universal forwarder the servername adds a -root for some specific reason.
[root@splunktest opt]# rpm -i splunkforwarder-4.2-96430-linux-2.6-x86_64.rpm
[root@splunktest opt]# /opt/splunkforwarder/bin/splunk start --accept-license
[root@splunktest opt]# /opt/splunkforwarder/bin/splunk show servername
Server name: splunktest.domain.com*-root*
Looks kinda weird since all my old 4.1.7 forwarders don't append -root to their servernames.
Sorry, no answer, just want to add the fact this is a problem in certain environments where a deployment server is used as it should be to deploy clients. We initially deployed manually (no deployment server) and would remove the [default] host = computer name from the /etc/local/inputs.conf. This resulted in the host name being the FQDN...perfect. Now we are trying to migrate to the new Universal Forwarders using a deployment server, a test run on one host worked great with the exception that it now has a capitalized computer name in Splunk...so now I have two host names for the same box. I understand I can put [default] host = fqdn in the inputs.conf, but that defeats the purpose of a deployment server, I basically need an entry for every device (>300) in my serverclass.conf
As Josh said, Splunk will default to hostname-username if serverName
is not set in server.conf
. The difference in 4.2 is that Splunk now doesn't query hostname
on first boot (to set this variable to just the hostname) like 4.1.x did. Look in etc/system/local/server.conf
.
As a result, any server upgraded from 4.1.x will have just its hostname, any new install of 4.2.x will default to hostname-username.
The variable in etc/system/default/server.conf has always been $HOSTNAME-$USERNAME or whatever like that.
Usually this has never mattered, because it got set to servername in install in so-called "first time run.
However, there was a goal to do mass rollouts of the Universal Forwarder with no config tweaks at all, pre-installed etc, so you are now seeing these variable expansions take place.
I was never sure of the goal of having $USER in there. I suspect it was for development purposes at HQ. If it causes any operational difficulties/annoyances we should get a bug or at least a ticket filed to discuss.
Note: the same on Solaris10 x86