Hello Splunkers,
When I search to see that host are in the appropriate index "index=indexname | stats count by host" I will see the same host listed twice. Once with the hostname of the forwarder and another with the FQDN of the forwarder. I believe that that culprit of this issue is because when engineers install forwards on host, they run "./splunk set forward-server ip_address:9997" then me as the splunk admin will add the sendtoindexer deployment app to the server class. Am I on the right track here or way off basis?
Thanks Splunkers!
... View more