So after months of battling an issue with our indexers dropping connections, we determined that there was a problem with the indexers performing reverse DNS lookups for the connecting servers. To mitigate, we added 'connection_host = none' to the inputs.conf resolving the issue.
If I understand how the host field in the indexed events is populated correctly, with 'connection_host = none' set on the indexers we will now rely on the 'host = ' field in inputs.conf on the UF's. I know this value is automatically populated with the server name when Splunk is first installed, however what happens if a server is renamed? Will it modify the inputs.conf to replace the 'host =' field with the new server name?
↧