Here is the use case I'm dealing with. We have a large virtual environment in which a lot of teams like to just clone one VM to another, meaning that the forwarder hostname and guid gets cloned, which messes with our reporting.
I am trying to write a simple script that does the following:
1. Detects if a UF's hostname is correct or not
2. Runs a simple scripted input to clear out any cloned configs
3. Restarts the forwarder so that the new configs are picked up.
#3 is causing me trouble. If I try to put a "splunk restart" command in the main body of the script, then Splunk will stop, kill the scripted input, and never restart. I've also tried creating a "wrapper" script that invokes a separate script to do the restart, but with no success - Splunk will stop but not start back up. Is there a better way to do this?