All Apps and Add-ons

Custom app not deployed by SplunkUniversalForwarder if the client's computer name doesn't match the Splunk hostname.

aaronvt
Loves-to-Learn

Our company's IT/Ops team manages a Splunk Cloud server and they have set up various custom apps for our different services, one such app has all the monitors and other configuration necessary for a specific API's logs to be included in the Splunk Cloud.

 

In the past, after installing SplunkUniversalForwarder we have been able to rename a computer (EC2 Instance running Windows Server), set the C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf file to use the computer's name as the default hostname, and restart the Splunk service and then the custom app folder would automatically be deployed to C:\Program Files\SplunkUniversalForwarder\etc\apps and all the API logs would show up just fine in Splunk Cloud.

 

We do not want to rename the computers anymore, though, but if I set the inputs.conf with a default hostname that is different than the computer's name and then restart the Splunk service then it will not deploy the custom app folder and the API's logs will not be accessible in Splunk Cloud. The hostname is confirmed to be working, though, because it will start showing Splunk logs (from sourcetype "splunkd") in Splunk Cloud with the host name set in the inputs.conf file.

 

I could manually add monitors to the inputs.conf file, but then I guess our It/Ops won't be able to administer changes via the app. So, is it possible to download that custom app without renaming the computers?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The hostname must match a serverclass in your Splunk deployment server (DS) for the UF to get its configurations.  Review the whitelist settings in your DS's server classes to make sure they include all of the expected host names.

---
If this reply helps you, Karma would be appreciated.
0 Karma

aaronvt
Loves-to-Learn

The hostname I set is the same in both scenarios: eon-avt-api/i-xxxxxxxxxx. Here is the serverclass configuration:

[serverClass:ewda_nonprod_rw]
blacklist.0 = eon-prod*
whitelist.0 = eon-test*
whitelist.1 = eon-*

[serverClass:ewda_nonprod_rw:app:ewda_nonprod_rw]
#restartSplunkWeb = 0
restartSplunkd = 1
stateOnClient = enabled

The problem is that it will only download the ewda_nonprod_rw app if the computer name and Splunk hostname are both eon-avt-api/i-xxxxxxxxxx. If the Splunk hostname is eon-avt-api/i-xxxxxxxxxx but the computer name is different then the ewda_nonprod_rw app is not downloaded.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...