Greetings for the day. In my organization we use Splunk for all types of monitoring and i am stuck on one issue which is breaking the Splunk Agent to report accurate data.
I will give little bit of background what's happening.
We use SCCM for Imaging Windows Server OS and Splunk Agent is part of the task sequence and it gets installed along with OS and other applications. Till here everything is working.
Now actual issue.
1. We build the server and handed over to the respective team. Team is not happy with the Server Name we have used so they raise a request to change it.
2. Once the Windows Engineer change the hostname of the server so Splunk Stops reporting any data to the dashboard.
3. Based on the troubleshooting we found that Splunk agent has one inputs.configuration file at location "C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf" which doesn't change the value when server was renamed and keeps the record whatever was printed at the time of agent installation. Once we change the inputs.config file for the value in the file "Host = Current Server Name" (Replace Old Name with new one) and restart Splunk Services then it starts reporting the accurate data.
For now i have written one PS code which goes to the particular location "C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf". Reads the value and matches with Hostname. If the value mismatch then it changes it according to the server name. PS Script given at the end.
I was wondering if Splunk can do it on behalf of me doing it by code?