Splunk forwarder restart causing incorrect host na...

somesoni2 · ‎03-14-2014

Hi All,

I have few unix machine with Splunk forwarder installed on it. Everything was working fine and I was getting data from that server, say name was "myhost1". Yesterday, due to some reason I had to restart the forwarder. I made no changes to configuration file whatsoever but I restarted logged in as "root". After that all the data coming in has host values as "myhost1-root".

I again restarted the forwarder after few hours and I logged in as another user say mwuser and now host name is coming as "myhost1-mwuser".

Does anyone has faced this issue or provide me some guidance to how to troubleshoot this?
Thanks in advanced.

I_am_Jeff · ‎04-14-2014

Since you mention "root" I'll assume this is a UNIX/Linux implementation. If splunk was originally running as a non-root user, then started as root any new files will be owned by root and possibly not readable or changeable by others. If you go back to the non-root user, various strange things will happen as various files will be unreadable or unchangeable. Check the file ownerships.

somesoni2 · ‎03-14-2014

Thanks for your quick response. Logically, it should be the same issue as mentioned in the post (server.conf still has $HOSTNAME-$USERNAME). I have requested copy of server.conf from this server, waiting for it to confirm.

gnovak · ‎03-14-2014

When you installed the forwarder, did you specify the server to use by running:

./splunk add forward-server <servername>:9997 -auth <username>:<password>

? This is very strange...Never heard of this before but I'm checking out the post from before.

lukejadamec · ‎03-14-2014

I've never seen it, but someone has:
http://answers.splunk.com/answers/12662/universal-forwarder-adds-root-to-servername

Splunk forwarder restart causing incorrect host name

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life