Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Identify Cloned Hosts on Deployer?

JDukeSplunk
Builder
‎08-21-2017 09:31 AM

Our server team sometimes clones hosts without running "splunk clone-prep-clear-config". I recently found a handful of these simply because I knew that it had happened. They were all reporting back to the deployment server as the same name. After I had them run splunk clone-prep-clear-config and restart the service, all 9 of them appeared on the deployer.

Is there a search that I can run to identify duplicate hosts/GUID's by IP(or something) on the deployment server?

0 Karma
Reply

dstaulcu
Builder
‎11-20-2017 06:40 PM

Here's how I do it for windows-based universal forwarders.

earliest=-1d@d sourcetype="WinEventLog:*" 
| table _time host ComputerName 
| dedup ComputerName 
| eval HostMatchesComputername = if(ComputerName=host,"TRUE","FALSE") 
| search HostMatchesComputername="FALSE"

Or you could run the following PowerShell as a script-based input each time splunkforwarder starts:

https://github.com/dstaulcu/SplunkTools/blob/master/CheckClonedAndFix.ps1

Reply

JDukeSplunk
Builder
‎08-22-2017 10:01 AM

Shameless self bump.

0 Karma
Reply

DalJeanis
Legend
‎08-22-2017 12:30 PM

Are these splunk server hosts or other hosts? In our enterprise, it is sometimes a valid condition for a host to have multiple IPs (but not for a splunkserver).

0 Karma
Reply

JDukeSplunk
Builder
‎08-23-2017 06:33 AM

These are my forwarders, and how they show up on my deployment server. Since their forwarder is not being reset with a "splunk clone-prep-clear-config" they are reporting back to the deployer with the name of the host they were cloned from. This makes it difficult to remove monitoring from a host, or change what apps are deployed.

They report to the indexer fine, as their actual hostname.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...