Solved: Why is my script to override the host name in inpu...

dybevan · ‎02-18-2015

We deploy code to Azure Cloud Apps and I have a script to re-write the host portion of the inputs.conf for the universal forwarder by adding the role name and deployment id. This means that we can track down logs to a particular instance if we need to.
However even when I override this value, the performance counter data that hits the indexer has the computer's name as the host instead of the value in inputs.conf.
How do I go about getting the right host text used? I'm not sure about changing the source type since it's set to Perfmon in Splunk and I assume that's a good thing.

dybevan · ‎03-04-2015

The problem was in my deployment script. I was setting Host (with a capital H) instead of host (with a lowercase h). If that happens it seems Splunk just ignores it

View solution in original post

dybevan · ‎03-04-2015

The problem was in my deployment script. I was setting Host (with a capital H) instead of host (with a lowercase h). If that happens it seems Splunk just ignores it

mzorzi · ‎02-23-2015

inputs.conf is the right place.

Check which is the current active configuration with btool:

$SPLUNK_HOME/bin/splunk cmd btool --debug inputs list

effem · ‎02-20-2015

I guess you are talking about tcp-input.
like:

[tcp://10.1.1.10:9995]
host = webhead-1
sourcetype = access_common
source = //10.1.1.10/var/log/apache/access.log

You need to restart your instance, after rewriting, to take effect of the changes.

dybevan · ‎02-20-2015

no it's specifically for windows performance counters,
I have something like

[default]
host = myCustomNameNotComputerName

[perfmon://Processor]
object = Processor
instances = _Total
counters = % Processor Time;% User Time
useEnglishOnly = 1
interval = 10
disabled = 0

When this perf data appears in Splunk it's showing the computer name and not the custom name. I could override it for each perfmon stanza but that sounds like a big old pile of wait for someone to forget to add it.

And the service is restarted after the modifications have been made

effem · ‎02-23-2015

> * Note: The perfmon stanza is for local systems ONLY. To define
> performance   monitor inputs for
> remote machines, use wmi.conf.

from the documentation

If you wish to change the name splunk uses for this whole instance. Change it via server.conf.

> [general]
> serverName = 
>     * The name used to identify this Splunk instance for features such as
> distributed search.
>     * Defaults to -.
>     * May not be an empty string
>     * May contain environment variables
>     * After any environment variables have been expanded, the server name
> (if not an IPv6
>       address) can only contain letters, numbers, underscores, dots,
> and dashes; and
>       it must start with a letter, number, or an underscore.  
> 
> hostnameOption = 
>     * The option used to specify the detail in the server name used to
> identify this Splunk instance.
>     * Can be one of fullyqualifiedname , clustername, shortname
>     * Is applicable to Windows only
>     * May not be an empty string

Serverconf-Doc

If im wrong wih my guesses, please consider to be more precise.

dybevan · ‎02-23-2015

Nope sorry. I put a new name in the server.conf and ran the btool as suggested by @mzorzi which does show my new name as being the host, but when the data is indexed the host is back to being the computer name. 😞

Why is my script to override the host name in inputs.conf for a universal forwarder not applying to perfmon sourcetype?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!