We have a server that was cloned to that have a different hostname. The old server was shutdown and the team is now using the new server with a different hostname. Looking at DS, the name of the host is still the same as the old one. Looking at the events from the new cloned server, its still showing the old server name before it was cloned.
We wanted to reflect the new hostname. should we delete the server as client and make it as client again by restarting the forwarder? it should reflect the new hostname, right?
Restarting the forwarder alone will not be enough as by default Splunk uses the hostname at installation time and records it in the relevant $SPLUNK_HOME/etc/system/local/*.conf files
In addition to the comments around $SPLUNK_HOME//etc/system/local/inputs.conf also check the server.conf, finally, deploymentclient.conf does not by default have a hardcoded hostname but it can.
You can more or less run grep in $SPLUNK_HOME/etc/system/local for your old hostname to find all the files...
Thank you for you response!
We already checked the deploymentclient.conf and its pointing to the correct DS where the server is a client but with the old server name. Will check the server.conf as well.
Does it mean that we have to reinstall Splunk to get the correct hostname for the server and deleting and redefining as client will no be enough?
You can correct the server name in the config without a reinstall.
However why not start with a clean install and just add the deployment client conf on cloned servers? You can start with auto accepting license and answer yes if required.
Thank you for your responses..
We checked the inputs.conf but we do not see reference to the old name. Is it correct to override the host name? We wanted it to be dynamic where it gathers the actual name and not assigning it....
@nittala_surya is correct.
[default] host = myhost.mycompany.com
We had this problem when people would rename servers after Splunk was installed but not update this file.