Solved: Syslog disk full Alert after changing hostname of ...

thesriidhar · ‎08-24-2014

Dear Helpers,

I'm keep getting syslog disk full alert, after changing the hostname of the server, where I installed splunk forwarder to forward all the logs to the Splunk indexing server.

As I checked, that is occupied only 16 % of the disk space.

Kindly help me on this issue.

Million thanks in advance !!!

thesriidhar · ‎08-27-2014

If you rename the syslog server (linux), need to change the same host name in the following files:

/opt/splunkforwarder/etc/system/local/input.conf

/opt/splunkforwarder/etc/system/local/server.conf

Once it is done, need to restart the Splunk services.

/etc/init.d/splunk restart

After it is done, it will reflect with in 10 mins. (But still Splunk will show the same old host name as well, but after 24 hours it will remove it automatically.)

Finally worked for me.

Thank you all for your time n efforts !!!

View solution in original post

thesriidhar · ‎08-27-2014

If you rename the syslog server (linux), need to change the same host name in the following files:

/opt/splunkforwarder/etc/system/local/input.conf

/opt/splunkforwarder/etc/system/local/server.conf

Once it is done, need to restart the Splunk services.

/etc/init.d/splunk restart

After it is done, it will reflect with in 10 mins. (But still Splunk will show the same old host name as well, but after 24 hours it will remove it automatically.)

Finally worked for me.

Thank you all for your time n efforts !!!

MuS · ‎08-26-2014

feel free to up-vote and or accept any answers to show your support - and you will get karma too 😉

thesriidhar · ‎08-26-2014

thanks a lot for the information MuS.

Just now checked, there is no old entry. I didn't made any change other than changing the hostname in the above mentioned files.

Now I'm good now.

Million thanks for your efforts / time.

Let me come-up with my other doubts and queries.

I love this community.

MuS · ‎08-26-2014

The old host will found by searches as long as it is available in your data and/or metadata. Maybe you should look at the delete command which will hide events from showing up in searches http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Delete

thesriidhar · ‎08-26-2014

Hello MuS,

thanks for the info / response ...

As I checked, when I change the hostname I need to update the same in the following:

/opt/splunkforwarder/etc/system/local/input.conf

/opt/splunkforwarder/etc/system/local/server.conf

once it is done, now the new name is reflecting. But again I could see the old one as well with the error "Missing" in the splunk server.

Do you have any clue on this ?

grijhwani · ‎08-25-2014

If you have changed the host name, have you also change its IP address? If Splunk was configured to allow access only from the original IP then that could be your problem. Doubtful though.

Not sure why you would want to begin by blaming Splunk. I'd be inclined to treat the error message literally to begin with. (Most errors say what they mean.) Has your changing the name of the host caused errors elsewhere in the system which has caused sufficient error messages to be generated that the local syslog partition is in fact full? Do you have any log rotation? Is the problem correspondence with the change of hostname purely coincidental? These are all novice questions. If you are running Linux as a novice, you need to understand that changing the host name may have consequences you have not allowed for. Quite aside from the issue you may or may not be having with Splunk you need to understand those first, and seek help in a more appropriate forum (linuxquestions.org for example).

MuS · ‎08-25-2014

Hi, I'pretty sure this is not caused nor related to Splunk. perform basic troubleshooting where and why those messages occur and fix that problem.

Syslog disk full Alert after changing hostname of the server

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor