Solved: How to change Deployment Client Instance ID?

guarisma · ‎11-20-2020

I have a couple of heavy Forwarders that we've been using for a while without a deployment server, now we want to use a DS to manage their Apps and make sure they are consistent, but it seems the original installation was a clone or a copy of the splunk folder so both instances have the same GUID (Instance ID)

The Deployment Server is noticing this:

WARN ClientSessionsManager - Client with Id 'F8857965-300D-4E42-AECA-D35597DC4441' has changed some of its properties on the latest phone home.Old properties are: {ip=38.X.X.X, dns=FQDN, hostname=XXXCHSLKHF01, deploymentClientName="XXXCHSLKHF01", connectionId=connection_38.x.x.x.x_8089_38X.X.X_XXXCHSLKHF01_XXXCHSLKHF01, utsname="linux-x86_64", build=7af3758d0d5e, mgmt=8089, splunkVersion=7.3.3, package=enterprise, instanceId=F8857965-300D-4E42-AECA-D35597DC4441, instanceName=XXXCHSLKHF01}. New properties are: {ip=38.X.X.X, dns=38.130.118.2, hostname=XXXMNSLKHF01, deploymentClientName="F8857965-300D-4E42-AECA-D35597DC4441", connectionId=connection_38.X.X.X_8089_38.X.X.X_XXXMNSLKHF01_F8857965-300D-4E42-AECA-D35597DC4441, utsname="linux-x86_64", build=7af3758d0d5e, mgmt=8089, splunkVersion=7.3.3, package=enterprise, instanceId=F8857965-300D-4E42-AECA-D35597DC4441, instanceName=XXXMNSHF}.

So the DS will replace one HF with the other every time one calls back.

How can I change this Instance ID?

thambisetty · ‎11-22-2020

I follow below steps after vm is cloned:

sudo -u splunkuser $SPLUNK_HOME/bin/splunk set  servername $HOSTNAME
sudo -u splunkuser $SPLUNK_HOME/bin/splunk set  default-hostname $HOSTNAME
sudo -u splunkuser rm -rf $SPLUNK_HOME/etc/instance.cfg
sudo -u splunkuser $SPLUNK_HOME/bin/splunk restart

————————————
If this helps, give a like below.

View solution in original post

thambisetty · ‎11-22-2020

I follow below steps after vm is cloned:

sudo -u splunkuser $SPLUNK_HOME/bin/splunk set  servername $HOSTNAME
sudo -u splunkuser $SPLUNK_HOME/bin/splunk set  default-hostname $HOSTNAME
sudo -u splunkuser rm -rf $SPLUNK_HOME/etc/instance.cfg
sudo -u splunkuser $SPLUNK_HOME/bin/splunk restart

————————————
If this helps, give a like below.

guarisma · ‎11-24-2020

Thanks!

I just needed this line in my case since someone else change the rest manually

sudo -u splunkuser rm -rf $SPLUNK_HOME/etc/instance.cfg

isoutamo · ‎11-24-2020

Please try to avoid -r on rm unless your really want to remove files recursively!

isoutamo · ‎11-22-2020

How to prepare colder image for UF https://docs.splunk.com/Documentation/Forwarder/8.1.0/Forwarder/Makeauniversalforwarderpartofahostim... and for full enterprise https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/IntegratefullSplunkontoasystemimage

Zzo911 · ‎03-02-2023

Is this valid for Splunk 9.0 and linux?

thambisetty · ‎03-02-2023

Yes.

————————————
If this helps, give a like below.

guarisma · ‎11-24-2020

Thanks, this is great material, I'm forwarding this information to my client

vikramyadav · ‎11-21-2020

It doesn't mean anything, but definitely you can just delete it and it will be re-generated.

-------------------------------

If this help your like would be appreciated 🙂

guarisma · ‎11-24-2020

Right, but I didn't know where to find it to change it or delete it, now I know it's in

sudo -u splunkuser rm -rf $SPLUNK_HOME/etc/instance.cfg

isoutamo · ‎11-20-2020

Hi
I haven’t try to change this on live instance, but you could try to change GUID on instance.cfg file. https://docs.splunk.com/Documentation/Splunk/7.3.3/Admin/Instancecfgconf
r. Ismo

How to change Deployment Client Instance ID?

deployment client

deployment server

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!