Deployment Architecture

Identify Cloned Hosts on Deployer?

JDukeSplunk
Builder

Our server team sometimes clones hosts without running "splunk clone-prep-clear-config". I recently found a handful of these simply because I knew that it had happened. They were all reporting back to the deployment server as the same name. After I had them run splunk clone-prep-clear-config and restart the service, all 9 of them appeared on the deployer.

Is there a search that I can run to identify duplicate hosts/GUID's by IP(or something) on the deployment server?

0 Karma

dstaulcu
Builder

Here's how I do it for windows-based universal forwarders.

earliest=-1d@d sourcetype="WinEventLog:*" 
| table _time host ComputerName 
| dedup ComputerName 
| eval HostMatchesComputername = if(ComputerName=host,"TRUE","FALSE") 
| search HostMatchesComputername="FALSE"

Or you could run the following PowerShell as a script-based input each time splunkforwarder starts:

https://github.com/dstaulcu/SplunkTools/blob/master/CheckClonedAndFix.ps1

JDukeSplunk
Builder

Shameless self bump.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Are these splunk server hosts or other hosts? In our enterprise, it is sometimes a valid condition for a host to have multiple IPs (but not for a splunkserver).

0 Karma

JDukeSplunk
Builder

These are my forwarders, and how they show up on my deployment server. Since their forwarder is not being reset with a "splunk clone-prep-clear-config" they are reporting back to the deployer with the name of the host they were cloned from. This makes it difficult to remove monitoring from a host, or change what apps are deployed.

They report to the indexer fine, as their actual hostname.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!