Solved: Hosts appearing in host list with short and long n...

colinj · ‎12-16-2011

I've just started adding forwarders to my Splunk indexer and I'm seeing hosts show up twice in the list of hosts. Once in the form:

foo.bar.baz

and then later as

foo

What I'm wondering is:

What causes this?
How do I make sure that everything is indexed with the long host names?

If it makes a difference I do have the *NIX package installed on the indexer and each of the forwarders.

araitz · ‎12-16-2011

I'm not sure that the *nix app has anything to do with this behavior. What specific sources/sourcetypes do you see this behavior exhibited for?

View solution in original post

araitz · ‎12-16-2011

I'm not sure that the *nix app has anything to do with this behavior. What specific sources/sourcetypes do you see this behavior exhibited for?

araitz · ‎12-19-2011

For the syslog sourcetype, Splunk extracts the hostname from the event itself. See this post for some more information:

http://splunk-base.splunk.com/answers/8659/set-hostname-correctly-for-syslog-input-coming-into-forwa...

colinj · ‎12-16-2011

It looks like the sourcetype is consistently syslog and in the syslog source only the short name appears. Since I have machines crossing domains my concern is that we could end up with foo.bar.baz being mixed up with foo.qux.baz as they would both be recognized as foo.

Is there a way that I can force the forwarders to use the full hostname for the syslog sourcetype? Something like this:

[sourcetype=syslog]
host=`hostname`

Just to keep the config files as simple as possible.

Hosts appearing in host list with short and long names

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!