|
I am running Splunk Server and Universal Forwarder 4.2.1 98164. The config file "/opt/splunkforwarder/etc/system/local/server.conf" has the entry "serverName = nascpmpa1dr". This seems to work as the results of "/opt/splunkforwarder/bin/splunk show servername" give the proper result, "Server name: nascpmpa1dr". But my Indexer sees the server as "nascpmpa1", which in what my linux servers $HOSTNAME is set to. DNS resolves "nascpmpa1dr". I have this setup with several linux servers using Splunk Light Forwarder 4.1 and they all give the hostname with the DR appended. Why does the Indexer file the syslog and warn logs under host="nascpmpa1" and not "nascpmpa1dr"? Why act differently between SLF 4.1 and UF 4.2.1? |
|
The universal forwarder does behave differently in 4.2.0 and 4.2.1 than a Light/Heavy Forwarder did in 4.1.x (SPL-38141, check the Known Issues). Work is under way to resolve this issue. All my hostnames are in lowercase. And the clipping of the "dr" off the names makes me think it not this bug.
(06 May '11, 09:59)
arthurhamm
The title of the bug does not reflect every facet of the issue.
(06 May '11, 10:32)
ftk ♦
Universal Forwarder 4.2.1 98164 release notes lists SPL-38141 as a resolved issue. http://www.splunk.com/base/Documentation/4.2.1/ReleaseNotes/4.2.1
(09 May '11, 10:40)
arthurhamm
That's funny as it is listed under the known issues (data inputs) as well. No idea which one is correct.
(09 May '11, 12:26)
ftk ♦
|
|
The entry in server.conf is used only for identifying indexers when Splunk distributed searches is used. It has nothing to do with how data is marked with a host name when it is indexed. (It is used to populate the It has no relationship or effect on forwarding or indexing of data. For that you need to look at the Update: Additionally, the default value for serverName in server.conf (remember, it is not relevant except for distributed search internal to Splunk) uses the value of either |
