I'm running Splunk on RHEL, and using the Splunk App for Linux and Unix with the Universal Forwarder. I'm getting duplicate hosts though, ie:
foo
and
foo.bar.com
How can I get rid of the duplicate? I'd prefer to keep the FQDN.
1) Check that in you local inputs.conf the host is equal to the FQDN.
2) Check that the hostname of your RHEL server is set to the FQDN you configured in inputs.conf.
3) Restart splunk if you have made any changes in inputs.conf.
4) Check the sourcetypes reporting foo by executing this search command:
index=main |stats count by host source sourcetype
The result set should show you what logs are reporting foo.
I'd like to do the opposite. . . Is there a way, once and for all to do away with mismatched FQDN/Short names? I'd prefer to keep the short names, but when I set the inputs.conf to have a short name, I end up with FQDN's via DNS and syslog. Do I need to have a global lookup and reference my entire internal DNS record or is there a better way?