Getting Data In

Does splunk clean all remove server names?

kenoski
Path Finder

We are trying to put our Splunk Indexer on a Windows system image.

Based on the documentation, stopping the Splunk service and issuing the .\splunk clean all command should clean out everything so the system image can be sysprep'd and in the future reimaged elsewhere.

When we do this we see that the original server name still exists in the cloned image upon startup.

Shouldn't the clean all command clean out the following?

1) var\log\splunk\ directory
2) var\lib\splunk\* directories
3) var\run\splunk* directory

I'm guessing that even if it did the above directories, that it would be some manual effort to clean out the following user/app directories:
1) etc\apps\splunk_management_console\lookups\assets.csv
2) etc\users\admin\launcher\history.csv
3) etc\users\admin\search\history.csv
4) etc\users\admin\splunk_app_windows_infrastructure\history.csv

I don't think the users\admin directories would cause problems, but the splunk_management_console lookup file now has the template windows image server name in its assets file, when it wont exist in the deployment.

So would the best practice be to search for the template server name anywhere in the splunk deployment prior to running sysprep cloning the image?

thx.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You'll want to run this:

./splunk clone-prep-clear-config

http://docs.splunk.com/Documentation/Splunk/6.3.3/Forwarding/Makeadfpartofasystemimage

0 Karma

kenoski
Path Finder

Does this work for an indexer also?

0 Karma

kmjefferson42
Explorer

I am also interested to know if this will work on an Splunk Enterprise Indexer. I am currently working in deploying Splunk Enterprise Hyper-V VMs and have run into an issue with the Monitoring Console. When attempting to look at "Instance" specific resource usage all of the data fields are empty. It appears the instance is still showing from the original installation. I have updated the OS Host name and the Splunk server name through the gui and also manually checked/updated in the server.conf and one or two other .conf files (I can't remember off hand).

I will try running this script tomorrow when back in the office and see if it updates the "instance" on the Monitoring Console.

I'll update my finding tomorrow.

Anyone with any insight on this please chime in!!

Thanks, Ken

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Never tried, but I don't see why not. The help text says this on a full instance:

Clear a Splunk instance of instance-unique config parameters, which are normally
created on initial startup (first-time run, "ftr").  Intended for use after an
instance has been cloned (i.e. all its files simply copied) from another instance.
0 Karma

kenoski
Path Finder

Thanks for the help.

Maybe someone from Splunk Support can provide an updated way to prepare a full Splunk Enterprise installation for cloning....what they have in the Admin manual is missing this important step.

I wonder what else is missing?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

For docs feedback, make sure to use the feedback form at the bottom of the docs page.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...