We deploy code to Azure Cloud Apps and I have a script to re-write the host portion of the inputs.conf for the universal forwarder by adding the role name and deployment id. This means that we can track down logs to a particular instance if we need to.
However even when I override this value, the performance counter data that hits the indexer has the computer's name as the host instead of the value in inputs.conf.
How do I go about getting the right host text used? I'm not sure about changing the source type since it's set to Perfmon in Splunk and I assume that's a good thing.
The problem was in my deployment script. I was setting Host (with a capital H) instead of host (with a lowercase h). If that happens it seems Splunk just ignores it
The problem was in my deployment script. I was setting Host (with a capital H) instead of host (with a lowercase h). If that happens it seems Splunk just ignores it
inputs.conf is the right place.
Check which is the current active configuration with btool:
$SPLUNK_HOME/bin/splunk cmd btool --debug inputs list
I guess you are talking about tcp-input.
like:
[tcp://10.1.1.10:9995]
host = webhead-1
sourcetype = access_common
source = //10.1.1.10/var/log/apache/access.log
You need to restart your instance, after rewriting, to take effect of the changes.
no it's specifically for windows performance counters,
I have something like
[default]
host = myCustomNameNotComputerName
[perfmon://Processor]
object = Processor
instances = _Total
counters = % Processor Time;% User Time
useEnglishOnly = 1
interval = 10
disabled = 0
When this perf data appears in Splunk it's showing the computer name and not the custom name. I could override it for each perfmon stanza but that sounds like a big old pile of wait for someone to forget to add it.
And the service is restarted after the modifications have been made
> * Note: The perfmon stanza is for local systems ONLY. To define
> performance monitor inputs for
> remote machines, use wmi.conf.
from the documentation
If you wish to change the name splunk uses for this whole instance. Change it via server.conf.
> [general]
> serverName =
> * The name used to identify this Splunk instance for features such as
> distributed search.
> * Defaults to -.
> * May not be an empty string
> * May contain environment variables
> * After any environment variables have been expanded, the server name
> (if not an IPv6
> address) can only contain letters, numbers, underscores, dots,
> and dashes; and
> it must start with a letter, number, or an underscore.
>
> hostnameOption =
> * The option used to specify the detail in the server name used to
> identify this Splunk instance.
> * Can be one of fullyqualifiedname , clustername, shortname
> * Is applicable to Windows only
> * May not be an empty string
If im wrong wih my guesses, please consider to be more precise.
Nope sorry. I put a new name in the server.conf and ran the btool as suggested by @mzorzi which does show my new name as being the host, but when the data is indexed the host is back to being the computer name. 😞