I am attempting to setup Splunk on a VM that will become a VM template. I have run sysprep and made it a template. I create a new VM from the template, and it receives new machine name and IP address. The problem is that when it reports to Splunk, it has shows up under the old Hostname entry. I see current entries that state : Host: oldName , Computername: oldName and other entries that state Host: oldName, Computername: newName
We are forwarding Windows event logs to a master Listener. I see at least 3 places where the machine name is configured. Inputs.conf and 2 different server.conf files. What is the best way for us to automate this?
The right way to do this would be to remove the generated files that have the host name (there are only two: server.conf and inputs.conf) and force Splunk to regenerate this with the first-time run process. Unfortunately I don't know how to force this. So instead:
With server.conf, you can actually simply replace it with one that uses the $HOSTNAME environment variable:
serverName = $HOSTNAME
instead of a literal hostname. However, as of the current version (4.1.2) this doesn't work in inputs.conf, leaving you with the option of just generating a new one of those files yourself. It's not very hard, but it is an unnecessary pain in the ass.
I had an SA clone solaris boxes that had Splunk forwarder installed and noticed the same thing. There was another question about this and I followed their ideas and removed the host=(servername) from the servers.conf and my servers were able to pick up the correct name.
Here is the link to the other topic:
So you could delete the setting and then make your template.