Solved: Re: Why is my Splunk Forwarder showing up as "$COM...

tmontney · ‎11-07-2016

I used the variable "$COMPUTERNAME" in my app's inputs.conf file. For all the PCs that got it, it's reporting their computer name, as expected. The only one that's a problem is my computer. For a while, I wasn't seeing any data for it. That's until I realized, it was sending data under the host $COMPUTERNAME. I ran "splunk show servername" and it shows the right host name.

tmontney · ‎11-07-2016

By not specifying a host value, Splunk UF will automatically send the correct hostname.

View solution in original post

tmontney · ‎11-07-2016

By not specifying a host value, Splunk UF will automatically send the correct hostname.

dmaislin_splunk · ‎11-07-2016

When Splunk starts up for the first time, it writes a new inputs.conf in the $SPLUNK_HOME/etc/system/local subdirectory. This inputs.conf contains just a [default] section like you've described above, with the host set to the "discovered" name of the system. If you are looking to create a system image:

http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Integrateauniversalforwarderontoasystemimage

tmontney · ‎11-07-2016

I'm not actually trying to create a system image (although I might in the future). I simply created an app on the Splunk server, and deployed it to existing clients. Clients are only referencing the app, not the /etc/system/local conf (that's my intention anyway). Since this is going out automatically, the hostname needs to be a variable. This worked for all laptops except one (my own).

Why is my Splunk Forwarder showing up as "$COMPUTERNAME"?

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification