Solved: Re: How to change the host name on remote instance...

Deepali529 · ‎12-28-2016

I have Splunk instance (master) from where I need to migrate indexed data to another instance (client). I have archive the indexed data on instance (master) by setting up NFS mount point and copied archived data in thawed bucket on instance (client). Now, I need to retrieve it on my new host (Client).
As, host name of both the machines are different when I retrieved it, it displays older host. name (master's host name).

Where to change host value so that it will show the client instance host name ?
Splunk version using = 6.5.0

lguinn2 · ‎01-01-2017

When data is indexed in Splunk, the host, source and sourcetype of the data are stored along with the raw events. Once indexed, these values cannot be changed. If what you want to see is the name of the machine that is storing the data, use splunk_server instead of host

View solution in original post

lguinn2 · ‎01-01-2017

When data is indexed in Splunk, the host, source and sourcetype of the data are stored along with the raw events. Once indexed, these values cannot be changed. If what you want to see is the name of the machine that is storing the data, use splunk_server instead of host

Deepali529 · ‎01-01-2017

in inputs.conf I need to mention splunk_server?

lguinn2 · ‎01-02-2017

Not in inputs.conf, use splunk_server in your search.

You should set the host name to the correct host in inputs.conf - but this will affect only newly indexed data. Data that has already been indexed will not change.

Deepali529 · ‎01-01-2017

thanks... 🙂 its showing the instance name(client server)

How to change the host name on remote instance (client)?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases