Our server team sometimes clones hosts without running "splunk clone-prep-clear-config". I recently found a handful of these simply because I knew that it had happened. They were all reporting back to the deployment server as the same name. After I had them run splunk clone-prep-clear-config and restart the service, all 9 of them appeared on the deployer.
Is there a search that I can run to identify duplicate hosts/GUID's by IP(or something) on the deployment server?
Here's how I do it for windows-based universal forwarders.
earliest=-1d@d sourcetype="WinEventLog:*"
| table _time host ComputerName
| dedup ComputerName
| eval HostMatchesComputername = if(ComputerName=host,"TRUE","FALSE")
| search HostMatchesComputername="FALSE"
Or you could run the following PowerShell as a script-based input each time splunkforwarder starts:
https://github.com/dstaulcu/SplunkTools/blob/master/CheckClonedAndFix.ps1
Shameless self bump.
Are these splunk server hosts or other hosts? In our enterprise, it is sometimes a valid condition for a host to have multiple IPs (but not for a splunkserver).
These are my forwarders, and how they show up on my deployment server. Since their forwarder is not being reset with a "splunk clone-prep-clear-config" they are reporting back to the deployer with the name of the host they were cloned from. This makes it difficult to remove monitoring from a host, or change what apps are deployed.
They report to the indexer fine, as their actual hostname.