Getting Data In

Splunk Deployment - Stanndalone

himapate
Explorer

Hi,

I have 1 search head and 1 indexer, I configured the indexer as search peer and the status is up. However cannot search anything on the indexer.
In DMC also cannot find the indexer setup

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Did you add it as a search peer on the SH? If you did, and it shows status as up, you should be able to search it. What errors are you getting?

What does a

index=_internal earliest=-5m@m | stats count by host

Give you back?

DMC requires some extra configuration, in regards to assigning roles such as Indexer.

0 Karma

himapate
Explorer

Hi ESIX

Found out the issue to be a bit diffrent.
We deployed Splunk universal forwarder through tivoli which was pointing to the deployment server. On deploying it we found out that there is a inputs.conf getting created in local folder with only the hostname.
We deployed Splunk-TA-Winodows through deployment server on all the host
Using a batch file we appended the inputs.conf host data form system/local to Splunk-TA-Windows/local/inputs.conf and deleted the inputs.conf and restarted splunkd. All worked fine.
Now we have the Splunk-TA-Winodws deployed through deployment servrer, when the client phones home it removes the hostname as there and keeps the conf file present in the deployment app?
How can i add the host details in splunk without getting it override ?
I have 100 servers in all and want the hostname of each present in the inputs.conf of the TA ?

can you help out in this
Thanks

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Inputs for what? Are you saying you cloned 100 machines after starting up and they all have the same hostname? Sounds to me like the issue. This also means you're replicating your GUIDs across your whole domain. This is similar to deploying a Image of windows and not changing the SID.

That inputs is created on the first startup to note the hostname, along with a GUID created in your server.conf, along with pem and ssl keys. If you have deployed the identical hosts across your domain, then you may have bigger issues. Dont deploy an already installed instance.. remotely install it...

0 Karma

himapate
Explorer

No the hostname are different and this is the only concern.
I want the hostname stanza to be present in the local directory of the TA.
But when the client will phone home in the deployment app , where i can't configure the hostname for each server in the TA inputs.conf , it will override the inputs on all the clients and the host satnza would be removed

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Hostname is different because its cloned...

Check out the clientName option in your deploymentclient.conf. This might be a better workaround for you.

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...