Getting Data In

Does splunk clean all remove server names?

kenoski
Path Finder

We are trying to put our Splunk Indexer on a Windows system image.

Based on the documentation, stopping the Splunk service and issuing the .\splunk clean all command should clean out everything so the system image can be sysprep'd and in the future reimaged elsewhere.

When we do this we see that the original server name still exists in the cloned image upon startup.

Shouldn't the clean all command clean out the following?

1) var\log\splunk\ directory
2) var\lib\splunk\* directories
3) var\run\splunk* directory

I'm guessing that even if it did the above directories, that it would be some manual effort to clean out the following user/app directories:
1) etc\apps\splunk_management_console\lookups\assets.csv
2) etc\users\admin\launcher\history.csv
3) etc\users\admin\search\history.csv
4) etc\users\admin\splunk_app_windows_infrastructure\history.csv

I don't think the users\admin directories would cause problems, but the splunk_management_console lookup file now has the template windows image server name in its assets file, when it wont exist in the deployment.

So would the best practice be to search for the template server name anywhere in the splunk deployment prior to running sysprep cloning the image?

thx.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You'll want to run this:

./splunk clone-prep-clear-config

http://docs.splunk.com/Documentation/Splunk/6.3.3/Forwarding/Makeadfpartofasystemimage

0 Karma

kenoski
Path Finder

Does this work for an indexer also?

0 Karma

kmjefferson42
Explorer

I am also interested to know if this will work on an Splunk Enterprise Indexer. I am currently working in deploying Splunk Enterprise Hyper-V VMs and have run into an issue with the Monitoring Console. When attempting to look at "Instance" specific resource usage all of the data fields are empty. It appears the instance is still showing from the original installation. I have updated the OS Host name and the Splunk server name through the gui and also manually checked/updated in the server.conf and one or two other .conf files (I can't remember off hand).

I will try running this script tomorrow when back in the office and see if it updates the "instance" on the Monitoring Console.

I'll update my finding tomorrow.

Anyone with any insight on this please chime in!!

Thanks, Ken

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Never tried, but I don't see why not. The help text says this on a full instance:

Clear a Splunk instance of instance-unique config parameters, which are normally
created on initial startup (first-time run, "ftr").  Intended for use after an
instance has been cloned (i.e. all its files simply copied) from another instance.
0 Karma

kenoski
Path Finder

Thanks for the help.

Maybe someone from Splunk Support can provide an updated way to prepare a full Splunk Enterprise installation for cloning....what they have in the Admin manual is missing this important step.

I wonder what else is missing?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

For docs feedback, make sure to use the feedback form at the bottom of the docs page.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...