Getting Data In

Inputs.conf $decideonstartup

dchodur
Path Finder

Anyone know why 5.0.1 UFs are reporting data in with host name of $decideonstartup. Looks like this setting was added in 5.0 for the inputs.conf file and the default for system/default/inputs.conf.

According to the manual it is to read the host name or IP at startup for Splunk and it appears to not be doing this. I have restarted the service and not working. These are Windows hosts, not sure I am seeing this issue with Linux systems. Have several doing it all seem to be 5.0.1 versions that I either upgraded or installed fresh.

Any ideas why not working or how to fix without editing each one.

Update:
Confirmed this is with the inputs.conf file by adding one in the local directory and setting the host=to the host name, now see logs and perfmon data. Trying to set it to empty host name does not seem to work. Editing manually inputs.conf in all the hosts system/default would not really be a good option either. Open to suggestions on how to fix this since seems to be an issue with how UF is to read hostname at startup and cannot or is not doing it. We use Deployment server so not sure how I could even address this with it since each host name is different.
Liked the old 4.X way without the variable, it worked.

Tags (1)
1 Solution

dchodur
Path Finder

I finally figure out the problem – When installing manually any version of the UF (older or the new 5.0.1) it will create 3 files in etc/system/local. One of these files is an inputs.conf file with the systems name in it. Before I was having people remove these files and let the system determine the hostname, which was working correctly. Now with 5.0 they have this new var for inputs.conf which should still really do the same thing, and it does for everything but perfmon stats. I can see the correct host name for event logs, in the deployment monitor, etc – just not for perfmon. Well it just so happens they redid in version 5.0 the perfmon collection to be what a module. I think how this was done there is an issue using that new inputs.conf setting. Well so happens we are removing these files when we installed splunk and they are sort of needed now with 5.0 it appears. I do think Splunk is having an issue with perfmon since it is not reading the computer name right, but people not really seeing it because they would probably not be removing these files from etc/system/local.

View solution in original post

dchodur
Path Finder

Here is the bat/cmd file I used. Need admin rights to win boxes. Was quick and dirty. use fart and psexec to help in the script. Basically pass a parm with system name. Could use a file with hostnames if had a lot of hosts.

  @echo off

if NOT EXIST \\%1\c$\PROGRA~1\SplunkUniversalForwarder\etc\system\local\inputs.conf (
  echo [default] >> \\%1\c$\PROGRA~1\SplunkUniversalForwarder\etc\system\local\inputs.conf
  echo host = %1 >> \\%1\c$\PROGRA~1\SplunkUniversalForwarder\etc\system\local\inputs.conf
)


findstr /I serverName \\%1\c$\PROGRA~1\SplunkUniversalForwarder\etc\system\local\server.conf
if %errorlevel%==1 (
    fart -C \\%1\c$\PROGRA~1\SplunkUniversalForwarder\etc\system\local\server.conf [general] [general]\r\nserverName=%1
    )


rem psexec \\%1 c:\PROGRA~1\SplunkUniversalForwarder\bin\splunk restart
0 Karma

dchodur
Path Finder

Matt:

I had to specify the host name in my inputs.conf file manually to make perfmon stats come in with the correct host name in 5.0+ versions. $decideonstartup$ just would not work for me. Looking at fresh installs showed inputs.conf files with this entry in it with static host name. Sucks to do this when you want to install in VM templates, but that var can be modified easily in post roll out script. I made a script to fix this on all my Splunk UFs and all working now.

matthewcanty
Communicator

Thanks, I think this is what we will do.

0 Karma

dchodur
Path Finder

I finally figure out the problem – When installing manually any version of the UF (older or the new 5.0.1) it will create 3 files in etc/system/local. One of these files is an inputs.conf file with the systems name in it. Before I was having people remove these files and let the system determine the hostname, which was working correctly. Now with 5.0 they have this new var for inputs.conf which should still really do the same thing, and it does for everything but perfmon stats. I can see the correct host name for event logs, in the deployment monitor, etc – just not for perfmon. Well it just so happens they redid in version 5.0 the perfmon collection to be what a module. I think how this was done there is an issue using that new inputs.conf setting. Well so happens we are removing these files when we installed splunk and they are sort of needed now with 5.0 it appears. I do think Splunk is having an issue with perfmon since it is not reading the computer name right, but people not really seeing it because they would probably not be removing these files from etc/system/local.

matthewcanty
Communicator
0 Karma

matthewcanty
Communicator

I'm sorry I can't quite understand whether or not you resolved this problem. I am looking at the very same issue here. I hope you can clarify steps you made fixing this... Thanks

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...