Sorry, no answer, just want to add the fact this is a problem in certain environments where a deployment server is used as it should be to deploy clients. We initially deployed manually (no deployment server) and would remove the [default] host = computer name from the /etc/local/inputs.conf. This resulted in the host name being the FQDN...perfect. Now we are trying to migrate to the new Universal Forwarders using a deployment server, a test run on one host worked great with the exception that it now has a capitalized computer name in Splunk...so now I have two host names for the same box. I understand I can put [default] host = fqdn in the inputs.conf, but that defeats the purpose of a deployment server, I basically need an entry for every device (>300) in my serverclass.conf
... View more