Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Identify Cloned Hosts on Deployer?

JDukeSplunk
Builder
‎08-21-2017 09:31 AM

Our server team sometimes clones hosts without running "splunk clone-prep-clear-config". I recently found a handful of these simply because I knew that it had happened. They were all reporting back to the deployment server as the same name. After I had them run splunk clone-prep-clear-config and restart the service, all 9 of them appeared on the deployer.

Is there a search that I can run to identify duplicate hosts/GUID's by IP(or something) on the deployment server?

0 Karma
Reply

dstaulcu
Builder
‎11-20-2017 06:40 PM

Here's how I do it for windows-based universal forwarders.

earliest=-1d@d sourcetype="WinEventLog:*" 
| table _time host ComputerName 
| dedup ComputerName 
| eval HostMatchesComputername = if(ComputerName=host,"TRUE","FALSE") 
| search HostMatchesComputername="FALSE"

Or you could run the following PowerShell as a script-based input each time splunkforwarder starts:

https://github.com/dstaulcu/SplunkTools/blob/master/CheckClonedAndFix.ps1

Reply

JDukeSplunk
Builder
‎08-22-2017 10:01 AM

Shameless self bump.

0 Karma
Reply

DalJeanis
Legend
‎08-22-2017 12:30 PM

Are these splunk server hosts or other hosts? In our enterprise, it is sometimes a valid condition for a host to have multiple IPs (but not for a splunkserver).

0 Karma
Reply

JDukeSplunk
Builder
‎08-23-2017 06:33 AM

These are my forwarders, and how they show up on my deployment server. Since their forwarder is not being reset with a "splunk clone-prep-clear-config" they are reporting back to the deployer with the name of the host they were cloned from. This makes it difficult to remove monitoring from a host, or change what apps are deployed.

They report to the indexer fine, as their actual hostname.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...