Deployment Architecture

How is Server Identified After clone-prep-clear-config Script is Run?

tred23
Path Finder

We are using Citrix to deploy multiple servers from a master image. We have followed the directions in the http://docs.splunk.com/Documentation/Splunk/6.3.1/Forwarding/Makeadfpartofasystemimage doc and it works; however, when we go and look at the cloned images' server.conf file there is no [general] stanza. The cloned images' inputs.conf file does not contain an entry for host under the [default] stanza.

I'm glad the clone-prep-clear-config script works I just want to know how the UF is reporting the host name if it is not in those .conf files.

Thank you,
Logan

0 Karma

jconger
Splunk Employee
Splunk Employee

There are several things that happen when you do a clone-prep-clear-config. But here are the main things concerning the host.

First, checking out the help section for the command from a command line yields this:

./splunk help clone-prep-clear-config

Clear a Splunk instance of instance-unique config parameters, which are normally created on initial startup (first-time run, "ftr").  Intended for use after an instance has been cloned (i.e. all its files simply copied) from another instance.

Syntax:
    clone-prep-clear-config

There are 3 main files that get the hostname and GUID cleared (remember, there is more than just this going on):

  • inputs.conf (the host key in the [default] stanza is cleared)
  • server.conf (the serverName key in the [general] stanza is cleared)
  • instance.cfg (the guid key in the [general] stanza is cleared)

In addition to these things, a 0-bytes file named cloneprep is created in the $SPLUNK_HOME directory.

When the Universal Forwarder starts back up (which will happen after PVS or MCS has assigned the hostname and system GUIDs), all of the information is filled into the 3 files mentioned above and the cloneprep file gets deleted.

wfrankl2
Explorer

Update:  What I had responded is actually incorrect, in that it's not a feature change but actually a bug.  The bug showed up in 8.1.x and fixed in 8.1.6 and apparently in 9.0.x.  But in 8.2.5 and potentially any 8.2.x (have a case currently open as of today 7/18/2022) to make that determination.  So my apologies in the haste of that response as what research I had done in docs and what we were seeing it appeared the functionality had changed.

Leaving the below here as to context of my correction.  

I believe this behavior changes with 8.2.  The host is no longer being stored on ftr, and if you have host coded in your inputs.conf from prior releases. The clone-prep-clear-config command will not clean out that file in the 8.2.x releases, at least not in 8.2.5 that we are on.  We just ran up on this issue as we have images that our servers are created from and the steps have been to run the clone-prep-clear-config to reset the inputs.conf host values and the guid.  But it no longer clears out the host name from inputs.conf.  So we have had to change our steps as we were not having data come into Splunk under the proper host name.  So now we remove the inputs.conf as well as run the clone-prep-clear-config to reset our servers.

Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...