All Apps and Add-ons

Inputs.Config File update issue

DeepakRai
New Member

Hello Team,

 

Greetings for the day. In my organization we use Splunk for all types of monitoring and i am stuck on one issue which is breaking the Splunk Agent to report accurate data.

I will give little bit of background what's happening.

We use SCCM for Imaging Windows Server OS and Splunk Agent is part of the task sequence and it gets installed along with OS and other applications. Till here everything is working.

Now actual issue.

1. We build the server and handed over to the respective team. Team is not happy with the Server Name we have used so they raise a request to change it.

2. Once the Windows Engineer change the hostname of the server so Splunk Stops reporting any data to the dashboard.

3. Based on the troubleshooting we found that Splunk agent has one inputs.configuration file at location "C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf" which doesn't change the value when server was renamed and keeps the record whatever was printed at the time of agent installation. Once we change the inputs.config file for the value in the file "Host = Current Server Name" (Replace Old Name with new one) and restart Splunk Services then it starts reporting the accurate data.

For now i have written one PS code which goes to the particular location "C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf". Reads the value and matches with Hostname. If the value mismatch then it changes it according to the server name. PS Script given at the end.

I was wondering if Splunk can do it on behalf of me doing it by code?

Thank you for your time in reading this question.

(Get-Content "C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf" -Raw) -replace '( = ).*', " = $1$($env:COMPUTERNAME)" | Set-Content "C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf"

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You could deploy an app to the appropriate forwarders.  That app would contain your PS script and would have to restart the forwarder after changing inputs.conf.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...