Getting Data In

How to configure dynamic index for Splunk Universal Forwarder in a VMware Horizon Instant Clones image

pkt73194
Engager

We are using a Horizon View 7 connection server to manage desktop virtual machines in multiple domains. We are using a single-instance Splunk Enterprise Server, with Splunk Universal Forwarders sending the data. All Horizon desktop pools are using Instant Clones method and are all based on snapshots of a single "Gold Image". The desktop pools have different naming conventions, but the VMs are named with consistent prefixes within their own pools. For example:

devel-01, devel-02, etc. for the "devel" pool in the "devel" domain
prod-01, prod-02, etc. for the "prod" pool in the "prod" domain

For all other applications, this has been a great way to reduce administrative overhead, but Splunk Universal Forwarder is giving me fits. I need both the hostname AND the index to be dynamic. I have tried configuring the Gold Image with the "splunk clone-prep-clear-config" command, but that only affects hostname. I want these desktops to send data to pools specifically for their domains. Basically, I want to end up with an $SPLUNK_HOME/etc/system/local/inputs.conf that dynamically assigns the host name and index values based on which desktop it is running on. Something that looks like:

[default]
host = domain-number
index = domain

Can the Splunk Universal Forwarder be incorporated into a clone image in this manner?

0 Karma
1 Solution

pkt73194
Engager

Took me a while, but I figured this one out. For anyone else who is crazy enough to try this setup:

I made use of a lesser-documented feature of VMware Horizon by using the desktop pool options "Post-Synchronization Script name:" and "Post-Synchronization Script parameters:". I wasn't able to find a definitive answer on what type of script that was meant for, or what parameter options are available, but it will successfully kick off a windows batch file as long as you give it a full local path to a batch file stored on the "Gold image" (C:\startup-script.bat), and the parameter I gave was "p1" (from the example given below the text box).

For the Splunk Universal Forwarder, I did clone prep the Gold Image with the "splunk.exe clone-prep-clear-config" command, which left the inputs.conf file containing only the "[default]" header. The script I wrote to configure the VMs as described above was as follows:


@echo off

REM #manually enable and start the splunk forwarder to get GUID and hostname
sc config splunkforwarder=demand
start /wait sc start splunkforwarder

REM #disable splunk forwarder again and stop the service
sc config splunkforwarder=disabled
start /wait sc stop splunkforwarder

REM #determine current host name
for /f "tokens=*" %%g in ('hostname') do set NAME=%%g

REM #chop the two numbers and dash off the end of the name
set SHORTNAME=%NAME:~0,-3%

REM #ensure the name variable is lowercase
CALL :LoCase SHORTNAME

REM #add the dynamic index name to the inputs file
echo index = %SHORTNAME% >> "C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf"

REM #clear the windows logs so data is not duplicated
wevtutil.exe cl Application
wevtutil.exe cl System
wevtutil.exe cl Security
wevtutil.exe cl Setup

REM #start the Splunk forwarder
sc config splunkforwarder=auto
start /wait sc start splunkforwarder
GOTO eof

:LoCase
REM #function to make variables lowercase
if not defined %~1 exit /b
for %%a in ("A=a" "B=b" "C=c" "D=d" "E=e" "F=f" "G=g" "H=h" "I=i" "J=j" "K=k" "L=l" "M=m" "N=n" "O=o" "P=p" "Q=q" "R=r" "S=s" "T=t" "U=u" "V=v" "W=w" "X=x" "Y=y" "Z=z") do (
call set %~1=%%%~1:%%~a%%
)
exit /b

:eof
REM #create a marker text file to indicate the script ran
echo Splunk Index configuration script completed on %date% %time% >> "C:\Program Files\SplunkUniversalForwarder\etc\system\local\ScriptTime.txt"
exit

View solution in original post

0 Karma

pkt73194
Engager

Took me a while, but I figured this one out. For anyone else who is crazy enough to try this setup:

I made use of a lesser-documented feature of VMware Horizon by using the desktop pool options "Post-Synchronization Script name:" and "Post-Synchronization Script parameters:". I wasn't able to find a definitive answer on what type of script that was meant for, or what parameter options are available, but it will successfully kick off a windows batch file as long as you give it a full local path to a batch file stored on the "Gold image" (C:\startup-script.bat), and the parameter I gave was "p1" (from the example given below the text box).

For the Splunk Universal Forwarder, I did clone prep the Gold Image with the "splunk.exe clone-prep-clear-config" command, which left the inputs.conf file containing only the "[default]" header. The script I wrote to configure the VMs as described above was as follows:


@echo off

REM #manually enable and start the splunk forwarder to get GUID and hostname
sc config splunkforwarder=demand
start /wait sc start splunkforwarder

REM #disable splunk forwarder again and stop the service
sc config splunkforwarder=disabled
start /wait sc stop splunkforwarder

REM #determine current host name
for /f "tokens=*" %%g in ('hostname') do set NAME=%%g

REM #chop the two numbers and dash off the end of the name
set SHORTNAME=%NAME:~0,-3%

REM #ensure the name variable is lowercase
CALL :LoCase SHORTNAME

REM #add the dynamic index name to the inputs file
echo index = %SHORTNAME% >> "C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf"

REM #clear the windows logs so data is not duplicated
wevtutil.exe cl Application
wevtutil.exe cl System
wevtutil.exe cl Security
wevtutil.exe cl Setup

REM #start the Splunk forwarder
sc config splunkforwarder=auto
start /wait sc start splunkforwarder
GOTO eof

:LoCase
REM #function to make variables lowercase
if not defined %~1 exit /b
for %%a in ("A=a" "B=b" "C=c" "D=d" "E=e" "F=f" "G=g" "H=h" "I=i" "J=j" "K=k" "L=l" "M=m" "N=n" "O=o" "P=p" "Q=q" "R=r" "S=s" "T=t" "U=u" "V=v" "W=w" "X=x" "Y=y" "Z=z") do (
call set %~1=%%%~1:%%~a%%
)
exit /b

:eof
REM #create a marker text file to indicate the script ran
echo Splunk Index configuration script completed on %date% %time% >> "C:\Program Files\SplunkUniversalForwarder\etc\system\local\ScriptTime.txt"
exit

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...