Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

host name not showing correctly

hartfoml
Motivator
‎01-20-2015 12:41 PM

I have 9 Splunk servers. all of them are showing the correct FQDN for the host name. One system is showing the netbios or short name as the host name.

I Looked ad the system hostname, in all the outputs and inputs but can not seem to find where Splunk is getting the host = myserver instead of host = myserver.domain.com.

Can I use BTOOL to find out where this is comeing from?
Can I use BTOOL to find the $decideOnStartup vareable?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-20-2015 08:09 PM

All data that is indexed in Splunk has a host field. Events will be assigned a default value for host if it is not specified in inputs.conf at input time. The host value can be overridden at input or parsing time using either props.conf or transforms.conf. So you really need to examine all of these. And yes, you can use btool for each of them.

You can't use btool to find the $decideOnStartup variable: are you using this?

I think that you may be looking for the server name, which is set in etc/system/local/server.conf on the indexer. In server.conf, look for this

[general]
serverName = your-default-host

You can edit server.conf to change this. Be sure to restart Splunk for the change to take effect.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-20-2015 08:09 PM

All data that is indexed in Splunk has a host field. Events will be assigned a default value for host if it is not specified in inputs.conf at input time. The host value can be overridden at input or parsing time using either props.conf or transforms.conf. So you really need to examine all of these. And yes, you can use btool for each of them.

You can't use btool to find the $decideOnStartup variable: are you using this?

I think that you may be looking for the server name, which is set in etc/system/local/server.conf on the indexer. In server.conf, look for this

[general]
serverName = your-default-host

You can edit server.conf to change this. Be sure to restart Splunk for the change to take effect.

Reply
Solved! Jump to solution

hartfoml
Motivator
‎01-21-2015 05:55 AM

I did find where it was entered using the btool.

It was under the [default] at the top of inputs.conf in the system/local like this

[default]
host = mysystem

I changed this to:

[default]
host = mysystem.domain.com

This fixed the problem
Thanks for the help

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...