Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Identify Cloned Hosts on Deployer?

JDukeSplunk
Builder
‎08-21-2017 09:31 AM

Our server team sometimes clones hosts without running "splunk clone-prep-clear-config". I recently found a handful of these simply because I knew that it had happened. They were all reporting back to the deployment server as the same name. After I had them run splunk clone-prep-clear-config and restart the service, all 9 of them appeared on the deployer.

Is there a search that I can run to identify duplicate hosts/GUID's by IP(or something) on the deployment server?

0 Karma
Reply

dstaulcu
Builder
‎11-20-2017 06:40 PM

Here's how I do it for windows-based universal forwarders.

earliest=-1d@d sourcetype="WinEventLog:*" 
| table _time host ComputerName 
| dedup ComputerName 
| eval HostMatchesComputername = if(ComputerName=host,"TRUE","FALSE") 
| search HostMatchesComputername="FALSE"

Or you could run the following PowerShell as a script-based input each time splunkforwarder starts:

https://github.com/dstaulcu/SplunkTools/blob/master/CheckClonedAndFix.ps1

Reply

JDukeSplunk
Builder
‎08-22-2017 10:01 AM

Shameless self bump.

0 Karma
Reply

DalJeanis
Legend
‎08-22-2017 12:30 PM

Are these splunk server hosts or other hosts? In our enterprise, it is sometimes a valid condition for a host to have multiple IPs (but not for a splunkserver).

0 Karma
Reply

JDukeSplunk
Builder
‎08-23-2017 06:33 AM

These are my forwarders, and how they show up on my deployment server. Since their forwarder is not being reset with a "splunk clone-prep-clear-config" they are reporting back to the deployer with the name of the host they were cloned from. This makes it difficult to remove monitoring from a host, or change what apps are deployed.

They report to the indexer fine, as their actual hostname.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...