Our company's IT/Ops team manages a Splunk Cloud server and they have set up various custom apps for our different services, one such app has all the monitors and other configuration necessary for a specific API's logs to be included in the Splunk Cloud.
In the past, after installing SplunkUniversalForwarder we have been able to rename a computer (EC2 Instance running Windows Server), set the C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf file to use the computer's name as the default hostname, and restart the Splunk service and then the custom app folder would automatically be deployed to C:\Program Files\SplunkUniversalForwarder\etc\apps and all the API logs would show up just fine in Splunk Cloud.
We do not want to rename the computers anymore, though, but if I set the inputs.conf with a default hostname that is different than the computer's name and then restart the Splunk service then it will not deploy the custom app folder and the API's logs will not be accessible in Splunk Cloud. The hostname is confirmed to be working, though, because it will start showing Splunk logs (from sourcetype "splunkd") in Splunk Cloud with the host name set in the inputs.conf file.
I could manually add monitors to the inputs.conf file, but then I guess our It/Ops won't be able to administer changes via the app. So, is it possible to download that custom app without renaming the computers?
The hostname must match a serverclass in your Splunk deployment server (DS) for the UF to get its configurations. Review the whitelist settings in your DS's server classes to make sure they include all of the expected host names.
The hostname I set is the same in both scenarios: eon-avt-api/i-xxxxxxxxxx. Here is the serverclass configuration:
[serverClass:ewda_nonprod_rw]
blacklist.0 = eon-prod*
whitelist.0 = eon-test*
whitelist.1 = eon-*
[serverClass:ewda_nonprod_rw:app:ewda_nonprod_rw]
#restartSplunkWeb = 0
restartSplunkd = 1
stateOnClient = enabled
The problem is that it will only download the ewda_nonprod_rw app if the computer name and Splunk hostname are both eon-avt-api/i-xxxxxxxxxx. If the Splunk hostname is eon-avt-api/i-xxxxxxxxxx but the computer name is different then the ewda_nonprod_rw app is not downloaded.