Getting Data In

Universal forwarder adds -root to servername?

drohr
Engager

As I don't know if this is a bug or intended I'll try to see if anyone know.

When doing a new install of the universal forwarder the servername adds a -root for some specific reason.

[root@splunktest opt]# rpm -i splunkforwarder-4.2-96430-linux-2.6-x86_64.rpm

[root@splunktest opt]# /opt/splunkforwarder/bin/splunk start --accept-license

[root@splunktest opt]# /opt/splunkforwarder/bin/splunk show servername

Server name: splunktest.domain.com*-root*

Looks kinda weird since all my old 4.1.7 forwarders don't append -root to their servernames.

kevins1112
New Member

Sorry, no answer, just want to add the fact this is a problem in certain environments where a deployment server is used as it should be to deploy clients. We initially deployed manually (no deployment server) and would remove the [default] host = computer name from the /etc/local/inputs.conf. This resulted in the host name being the FQDN...perfect. Now we are trying to migrate to the new Universal Forwarders using a deployment server, a test run on one host worked great with the exception that it now has a capitalized computer name in Splunk...so now I have two host names for the same box. I understand I can put [default] host = fqdn in the inputs.conf, but that defeats the purpose of a deployment server, I basically need an entry for every device (>300) in my serverclass.conf

0 Karma

Jason
Motivator

As Josh said, Splunk will default to hostname-username if serverName is not set in server.conf. The difference in 4.2 is that Splunk now doesn't query hostname on first boot (to set this variable to just the hostname) like 4.1.x did. Look in etc/system/local/server.conf.

As a result, any server upgraded from 4.1.x will have just its hostname, any new install of 4.2.x will default to hostname-username.

0 Karma

jrodman
Splunk Employee
Splunk Employee

The variable in etc/system/default/server.conf has always been $HOSTNAME-$USERNAME or whatever like that.

Usually this has never mattered, because it got set to servername in install in so-called "first time run.

However, there was a goal to do mass rollouts of the Universal Forwarder with no config tweaks at all, pre-installed etc, so you are now seeing these variable expansions take place.

I was never sure of the goal of having $USER in there. I suspect it was for development purposes at HQ. If it causes any operational difficulties/annoyances we should get a bug or at least a ticket filed to discuss.

LCM
Contributor

Note: the same on Solaris10 x86

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...