Dear Helpers,
I'm keep getting syslog disk full alert, after changing the hostname of the server, where I installed splunk forwarder to forward all the logs to the Splunk indexing server.
As I checked, that is occupied only 16 % of the disk space.
Kindly help me on this issue.
Million thanks in advance !!!
If you rename the syslog server (linux), need to change the same host name in the following files:
/opt/splunkforwarder/etc/system/local/input.conf
/opt/splunkforwarder/etc/system/local/server.conf
Once it is done, need to restart the Splunk services.
/etc/init.d/splunk restart
After it is done, it will reflect with in 10 mins. (But still Splunk will show the same old host name as well, but after 24 hours it will remove it automatically.)
Finally worked for me.
Thank you all for your time n efforts !!!
If you rename the syslog server (linux), need to change the same host name in the following files:
/opt/splunkforwarder/etc/system/local/input.conf
/opt/splunkforwarder/etc/system/local/server.conf
Once it is done, need to restart the Splunk services.
/etc/init.d/splunk restart
After it is done, it will reflect with in 10 mins. (But still Splunk will show the same old host name as well, but after 24 hours it will remove it automatically.)
Finally worked for me.
Thank you all for your time n efforts !!!
feel free to up-vote and or accept any answers to show your support - and you will get karma too 😉
thanks a lot for the information MuS.
Just now checked, there is no old entry. I didn't made any change other than changing the hostname in the above mentioned files.
Now I'm good now.
Million thanks for your efforts / time.
Let me come-up with my other doubts and queries.
I love this community.
The old host will found by searches as long as it is available in your data and/or metadata. Maybe you should look at the delete command which will hide events from showing up in searches http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Delete
Hello MuS,
thanks for the info / response ...
As I checked, when I change the hostname I need to update the same in the following:
/opt/splunkforwarder/etc/system/local/input.conf
/opt/splunkforwarder/etc/system/local/server.conf
once it is done, now the new name is reflecting. But again I could see the old one as well with the error "Missing" in the splunk server.
Do you have any clue on this ?
If you have changed the host name, have you also change its IP address? If Splunk was configured to allow access only from the original IP then that could be your problem. Doubtful though.
Not sure why you would want to begin by blaming Splunk. I'd be inclined to treat the error message literally to begin with. (Most errors say what they mean.) Has your changing the name of the host caused errors elsewhere in the system which has caused sufficient error messages to be generated that the local syslog partition is in fact full? Do you have any log rotation? Is the problem correspondence with the change of hostname purely coincidental? These are all novice questions. If you are running Linux as a novice, you need to understand that changing the host name may have consequences you have not allowed for. Quite aside from the issue you may or may not be having with Splunk you need to understand those first, and seek help in a more appropriate forum (linuxquestions.org for example).
Hi, I'pretty sure this is not caused nor related to Splunk. perform basic troubleshooting where and why those messages occur and fix that problem.