I have 9 Splunk servers. all of them are showing the correct FQDN for the host name. One system is showing the netbios or short name as the host name.
I Looked ad the system hostname, in all the outputs and inputs but can not seem to find where Splunk is getting the host = myserver instead of host = myserver.domain.com.
Can I use BTOOL to find out where this is comeing from?
Can I use BTOOL to find the $decideOnStartup vareable?
All data that is indexed in Splunk has a host
field. Events will be assigned a default value for host
if it is not specified in inputs.conf
at input time. The host value can be overridden at input or parsing time using either props.conf
or transforms.conf
. So you really need to examine all of these. And yes, you can use btool for each of them.
You can't use btool to find the $decideOnStartup variable: are you using this?
I think that you may be looking for the server name, which is set in etc/system/local/server.conf
on the indexer. In server.conf, look for this
[general]
serverName = your-default-host
You can edit server.conf to change this. Be sure to restart Splunk for the change to take effect.
All data that is indexed in Splunk has a host
field. Events will be assigned a default value for host
if it is not specified in inputs.conf
at input time. The host value can be overridden at input or parsing time using either props.conf
or transforms.conf
. So you really need to examine all of these. And yes, you can use btool for each of them.
You can't use btool to find the $decideOnStartup variable: are you using this?
I think that you may be looking for the server name, which is set in etc/system/local/server.conf
on the indexer. In server.conf, look for this
[general]
serverName = your-default-host
You can edit server.conf to change this. Be sure to restart Splunk for the change to take effect.
I did find where it was entered using the btool.
It was under the [default] at the top of inputs.conf in the system/local like this
[default]
host = mysystem
I changed this to:
[default]
host = mysystem.domain.com
This fixed the problem
Thanks for the help