Our server team sometimes clones hosts without running "splunk clone-prep-clear-config". I recently found a handful of these simply because I knew that it had happened. They were all reporting back to the deployment server as the same name. After I had them run splunk clone-prep-clear-config and restart the service, all 9 of them appeared on the deployer.
Is there a search that I can run to identify duplicate hosts/GUID's by IP(or something) on the deployment server?
These are my forwarders, and how they show up on my deployment server. Since their forwarder is not being reset with a "splunk clone-prep-clear-config" they are reporting back to the deployer with the name of the host they were cloned from. This makes it difficult to remove monitoring from a host, or change what apps are deployed.
They report to the indexer fine, as their actual hostname.