I've just started adding forwarders to my Splunk indexer and I'm seeing hosts show up twice in the list of hosts. Once in the form:
foo.bar.baz
and then later as
foo
What I'm wondering is:
If it makes a difference I do have the *NIX package installed on the indexer and each of the forwarders.
I'm not sure that the *nix app has anything to do with this behavior. What specific sources/sourcetypes do you see this behavior exhibited for?
I'm not sure that the *nix app has anything to do with this behavior. What specific sources/sourcetypes do you see this behavior exhibited for?
For the syslog sourcetype, Splunk extracts the hostname from the event itself. See this post for some more information:
It looks like the sourcetype is consistently syslog and in the syslog source only the short name appears. Since I have machines crossing domains my concern is that we could end up with foo.bar.baz being mixed up with foo.qux.baz as they would both be recognized as foo.
Is there a way that I can force the forwarders to use the full hostname for the syslog sourcetype? Something like this:
[sourcetype=syslog]
host=`hostname`
Just to keep the config files as simple as possible.