All Apps and Add-ons

Splunk License Usage: Double hostname entry on license master due to reinstall

gabrigr_ec
Explorer

Hi,

I had a Splunk instance registered with a remote license master. At some point in time, I reinstalled the entire instance from scratch. Now, I have two entries for the same hostname on the license master under available Indexers, most likely because the GUID changed.

I already tried reverting the GUID of the instance to the old one but the license master still keeps a double entry under Available Indexers.

Is there any way to purge the useless entry from the license master or is this a matter of waiting?

0 Karma

gabrigr_ec
Explorer

Here's what I did

  1. Verified I have one entry for slave on License Master associated with pool. No double entry under Available Indexers
  2. Stopped License Master Commented out clustering, clustermaster:indexercluster1, shclustering stanzas in server.conf Started License Master
  3. Stopped License Slave rm $SPLUNK_HOME/etc/instance.cfg Started License Slave
  4. License Master now mentions '1 orphaned indexer reported by 1 indexer' Under Available Indexers I now see a second hostname entry for the slave (because GUID changed)
  5. Stopped License Master Re-enabled clustering, clustermaster:indexercluster1, shclustering stanzas in server.conf Started License Master
  6. Under Associated Indexers for my pool I now see an entry for the old GUID I can remove the GUID, add the new hostname entry and all is well

So, moral of the story: license master has to be a search head

0 Karma

sudosplunk
Motivator

Since the GUID changed multiple times, you have to manually remove the indexer from "Available indexers" list.

Click on "Edit" for desired pool under Licensing (Settings -> Licensing) on LM and remove the unwanted indexer(s).

0 Karma

gabrigr_ec
Explorer

I did that but my question was more if I can completely remove them from Available indexers or that it takes some time to age out?

0 Karma

sudosplunk
Motivator

Are you asking about removing the greyed out instances that do not have 'X' mark?

0 Karma

gabrigr_ec
Explorer

They were black with a green + under 'Available indexers'

However, I noticed something odd.

Today I configured my license master as a search head and after a restart the hosts were marked with their GUIDs in a license pool. After removing them from the pool , they don't show any more under Available Indexers.

0 Karma

sudosplunk
Motivator

When a new instance(slave in other words) contacts license master with same pass$SymmKey, they are listed under available indexers. So, according to your comment, do you think a restart fixed it?

0 Karma

gabrigr_ec
Explorer

Here's what I did

Verified I have one entry for slave on License Master associated with pool. No double entry under Available Indexers

Stopped License Master
Commented out clustering, clustermaster:indexercluster1, shclustering stanzas in server.conf
Started License Master

Stopped License Slave
rm $SPLUNK_HOME/etc/instance.cfg
Started License Slave

License Master now mentions '1 orphaned indexer reported by 1 indexer'
Under Available Indexers I now see a second hostname entry for the slave (because GUID changed)

Stopped License Master
Re-enabled clustering, clustermaster:indexercluster1, shclustering stanzas in server.conf
Started License Master

Under Associated Indexers for my pool I now see an entry for the old GUID
I can remove the GUID, add the new hostname entry and all is well

So, moral of the story: license master has to be a search head

0 Karma

vishaltaneja070
Motivator

@gabrigr_ec

Did the below answer solves your issue?

0 Karma

vishaltaneja070
Motivator

Hello @Gabrigr_ec

Please try the below step, it will solve the issue:
splunk stop;
rm /opt/splunk/etc/instance.cfg;
splunk start

Thanks 🙂

0 Karma

gabrigr_ec
Explorer

That didn't work - it actually created a third instance of the hostname.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...