Getting Data In

How to configure dynamic index for Splunk Universal Forwarder in a VMware Horizon Instant Clones image

pkt73194
Engager

We are using a Horizon View 7 connection server to manage desktop virtual machines in multiple domains. We are using a single-instance Splunk Enterprise Server, with Splunk Universal Forwarders sending the data. All Horizon desktop pools are using Instant Clones method and are all based on snapshots of a single "Gold Image". The desktop pools have different naming conventions, but the VMs are named with consistent prefixes within their own pools. For example:

devel-01, devel-02, etc. for the "devel" pool in the "devel" domain
prod-01, prod-02, etc. for the "prod" pool in the "prod" domain

For all other applications, this has been a great way to reduce administrative overhead, but Splunk Universal Forwarder is giving me fits. I need both the hostname AND the index to be dynamic. I have tried configuring the Gold Image with the "splunk clone-prep-clear-config" command, but that only affects hostname. I want these desktops to send data to pools specifically for their domains. Basically, I want to end up with an $SPLUNK_HOME/etc/system/local/inputs.conf that dynamically assigns the host name and index values based on which desktop it is running on. Something that looks like:

[default]
host = domain-number
index = domain

Can the Splunk Universal Forwarder be incorporated into a clone image in this manner?

0 Karma
1 Solution

pkt73194
Engager

Took me a while, but I figured this one out. For anyone else who is crazy enough to try this setup:

I made use of a lesser-documented feature of VMware Horizon by using the desktop pool options "Post-Synchronization Script name:" and "Post-Synchronization Script parameters:". I wasn't able to find a definitive answer on what type of script that was meant for, or what parameter options are available, but it will successfully kick off a windows batch file as long as you give it a full local path to a batch file stored on the "Gold image" (C:\startup-script.bat), and the parameter I gave was "p1" (from the example given below the text box).

For the Splunk Universal Forwarder, I did clone prep the Gold Image with the "splunk.exe clone-prep-clear-config" command, which left the inputs.conf file containing only the "[default]" header. The script I wrote to configure the VMs as described above was as follows:


@echo off

REM #manually enable and start the splunk forwarder to get GUID and hostname
sc config splunkforwarder=demand
start /wait sc start splunkforwarder

REM #disable splunk forwarder again and stop the service
sc config splunkforwarder=disabled
start /wait sc stop splunkforwarder

REM #determine current host name
for /f "tokens=*" %%g in ('hostname') do set NAME=%%g

REM #chop the two numbers and dash off the end of the name
set SHORTNAME=%NAME:~0,-3%

REM #ensure the name variable is lowercase
CALL :LoCase SHORTNAME

REM #add the dynamic index name to the inputs file
echo index = %SHORTNAME% >> "C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf"

REM #clear the windows logs so data is not duplicated
wevtutil.exe cl Application
wevtutil.exe cl System
wevtutil.exe cl Security
wevtutil.exe cl Setup

REM #start the Splunk forwarder
sc config splunkforwarder=auto
start /wait sc start splunkforwarder
GOTO eof

:LoCase
REM #function to make variables lowercase
if not defined %~1 exit /b
for %%a in ("A=a" "B=b" "C=c" "D=d" "E=e" "F=f" "G=g" "H=h" "I=i" "J=j" "K=k" "L=l" "M=m" "N=n" "O=o" "P=p" "Q=q" "R=r" "S=s" "T=t" "U=u" "V=v" "W=w" "X=x" "Y=y" "Z=z") do (
call set %~1=%%%~1:%%~a%%
)
exit /b

:eof
REM #create a marker text file to indicate the script ran
echo Splunk Index configuration script completed on %date% %time% >> "C:\Program Files\SplunkUniversalForwarder\etc\system\local\ScriptTime.txt"
exit

View solution in original post

0 Karma

pkt73194
Engager

Took me a while, but I figured this one out. For anyone else who is crazy enough to try this setup:

I made use of a lesser-documented feature of VMware Horizon by using the desktop pool options "Post-Synchronization Script name:" and "Post-Synchronization Script parameters:". I wasn't able to find a definitive answer on what type of script that was meant for, or what parameter options are available, but it will successfully kick off a windows batch file as long as you give it a full local path to a batch file stored on the "Gold image" (C:\startup-script.bat), and the parameter I gave was "p1" (from the example given below the text box).

For the Splunk Universal Forwarder, I did clone prep the Gold Image with the "splunk.exe clone-prep-clear-config" command, which left the inputs.conf file containing only the "[default]" header. The script I wrote to configure the VMs as described above was as follows:


@echo off

REM #manually enable and start the splunk forwarder to get GUID and hostname
sc config splunkforwarder=demand
start /wait sc start splunkforwarder

REM #disable splunk forwarder again and stop the service
sc config splunkforwarder=disabled
start /wait sc stop splunkforwarder

REM #determine current host name
for /f "tokens=*" %%g in ('hostname') do set NAME=%%g

REM #chop the two numbers and dash off the end of the name
set SHORTNAME=%NAME:~0,-3%

REM #ensure the name variable is lowercase
CALL :LoCase SHORTNAME

REM #add the dynamic index name to the inputs file
echo index = %SHORTNAME% >> "C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf"

REM #clear the windows logs so data is not duplicated
wevtutil.exe cl Application
wevtutil.exe cl System
wevtutil.exe cl Security
wevtutil.exe cl Setup

REM #start the Splunk forwarder
sc config splunkforwarder=auto
start /wait sc start splunkforwarder
GOTO eof

:LoCase
REM #function to make variables lowercase
if not defined %~1 exit /b
for %%a in ("A=a" "B=b" "C=c" "D=d" "E=e" "F=f" "G=g" "H=h" "I=i" "J=j" "K=k" "L=l" "M=m" "N=n" "O=o" "P=p" "Q=q" "R=r" "S=s" "T=t" "U=u" "V=v" "W=w" "X=x" "Y=y" "Z=z") do (
call set %~1=%%%~1:%%~a%%
)
exit /b

:eof
REM #create a marker text file to indicate the script ran
echo Splunk Index configuration script completed on %date% %time% >> "C:\Program Files\SplunkUniversalForwarder\etc\system\local\ScriptTime.txt"
exit

0 Karma
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...