Re: Identify Cloned Hosts on Deployer?

JDukeSplunk · ‎08-21-2017

Our server team sometimes clones hosts without running "splunk clone-prep-clear-config". I recently found a handful of these simply because I knew that it had happened. They were all reporting back to the deployment server as the same name. After I had them run splunk clone-prep-clear-config and restart the service, all 9 of them appeared on the deployer.

Is there a search that I can run to identify duplicate hosts/GUID's by IP(or something) on the deployment server?

dstaulcu · ‎11-20-2017

Here's how I do it for windows-based universal forwarders.

earliest=-1d@d sourcetype="WinEventLog:*" 
| table _time host ComputerName 
| dedup ComputerName 
| eval HostMatchesComputername = if(ComputerName=host,"TRUE","FALSE") 
| search HostMatchesComputername="FALSE"

Or you could run the following PowerShell as a script-based input each time splunkforwarder starts:

https://github.com/dstaulcu/SplunkTools/blob/master/CheckClonedAndFix.ps1

JDukeSplunk · ‎08-22-2017

Shameless self bump.

DalJeanis · ‎08-22-2017

Are these splunk server hosts or other hosts? In our enterprise, it is sometimes a valid condition for a host to have multiple IPs (but not for a splunkserver).

JDukeSplunk · ‎08-23-2017

These are my forwarders, and how they show up on my deployment server. Since their forwarder is not being reset with a "splunk clone-prep-clear-config" they are reporting back to the deployer with the name of the host they were cloned from. This makes it difficult to remove monitoring from a host, or change what apps are deployed.

They report to the indexer fine, as their actual hostname.

Identify Cloned Hosts on Deployer?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life