All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Custom app not deployed by SplunkUniversalForwarder if the client's computer name doesn't match the Splunk hostname.

aaronvt
Loves-to-Learn
‎06-23-2021 01:30 PM

Our company's IT/Ops team manages a Splunk Cloud server and they have set up various custom apps for our different services, one such app has all the monitors and other configuration necessary for a specific API's logs to be included in the Splunk Cloud.

 

In the past, after installing SplunkUniversalForwarder we have been able to rename a computer (EC2 Instance running Windows Server), set the C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf file to use the computer's name as the default hostname, and restart the Splunk service and then the custom app folder would automatically be deployed to C:\Program Files\SplunkUniversalForwarder\etc\apps and all the API logs would show up just fine in Splunk Cloud.

 

We do not want to rename the computers anymore, though, but if I set the inputs.conf with a default hostname that is different than the computer's name and then restart the Splunk service then it will not deploy the custom app folder and the API's logs will not be accessible in Splunk Cloud. The hostname is confirmed to be working, though, because it will start showing Splunk logs (from sourcetype "splunkd") in Splunk Cloud with the host name set in the inputs.conf file.

 

I could manually add monitors to the inputs.conf file, but then I guess our It/Ops won't be able to administer changes via the app. So, is it possible to download that custom app without renaming the computers?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-23-2021 05:44 PM

The hostname must match a serverclass in your Splunk deployment server (DS) for the UF to get its configurations.  Review the whitelist settings in your DS's server classes to make sure they include all of the expected host names.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

aaronvt
Loves-to-Learn
‎06-24-2021 10:32 AM

The hostname I set is the same in both scenarios: eon-avt-api/i-xxxxxxxxxx. Here is the serverclass configuration:

[serverClass:ewda_nonprod_rw]
blacklist.0 = eon-prod*
whitelist.0 = eon-test*
whitelist.1 = eon-*

[serverClass:ewda_nonprod_rw:app:ewda_nonprod_rw]
#restartSplunkWeb = 0
restartSplunkd = 1
stateOnClient = enabled

The problem is that it will only download the ewda_nonprod_rw app if the computer name and Splunk hostname are both eon-avt-api/i-xxxxxxxxxx. If the Splunk hostname is eon-avt-api/i-xxxxxxxxxx but the computer name is different then the ewda_nonprod_rw app is not downloaded.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...