Getting Data In
Highlighted

Why is our new cloned server reflecting an old hostname?

Communicator

We have a server that was cloned to that have a different hostname. The old server was shutdown and the team is now using the new server with a different hostname. Looking at DS, the name of the host is still the same as the old one. Looking at the events from the new cloned server, its still showing the old server name before it was cloned.

We wanted to reflect the new hostname. should we delete the server as client and make it as client again by restarting the forwarder? it should reflect the new hostname, right?

0 Karma
Highlighted

Re: Why is our new cloned server reflecting an old hostname?

Motivator

Check hostname in inputs.conf under $SPLUNK_HOME/etc/system/local directory on UF. Chances are this file might still have old hostname.

0 Karma
Highlighted

Re: Why is our new cloned server reflecting an old hostname?

SplunkTrust
SplunkTrust

@nittala_surya is correct.

In /opt/splunk/etc/system/local/inputs.conf

[default]
host = myhost.mycompany.com

We had this problem when people would rename servers after Splunk was installed but not update this file.

0 Karma
Highlighted

Re: Why is our new cloned server reflecting an old hostname?

Communicator

Thank you for your responses..

We checked the inputs.conf but we do not see reference to the old name. Is it correct to override the host name? We wanted it to be dynamic where it gathers the actual name and not assigning it....

0 Karma
Highlighted

Re: Why is our new cloned server reflecting an old hostname?

SplunkTrust
SplunkTrust

Restarting the forwarder alone will not be enough as by default Splunk uses the hostname at installation time and records it in the relevant $SPLUNK_HOME/etc/system/local/*.conf files

In addition to the comments around $SPLUNK_HOME//etc/system/local/inputs.conf also check the server.conf, finally, deploymentclient.conf does not by default have a hardcoded hostname but it can.

You can more or less run grep in $SPLUNK_HOME/etc/system/local for your old hostname to find all the files...

0 Karma
Highlighted

Re: Why is our new cloned server reflecting an old hostname?

Communicator

Thank you for you response!

We already checked the deploymentclient.conf and its pointing to the correct DS where the server is a client but with the old server name. Will check the server.conf as well.
Does it mean that we have to reinstall Splunk to get the correct hostname for the server and deleting and redefining as client will no be enough?

0 Karma
Highlighted

Re: Why is our new cloned server reflecting an old hostname?

SplunkTrust
SplunkTrust

I would just update the deployment.conf and server.conf files with the new host name. And then restart the Splunk forwarder.

0 Karma
Highlighted

Re: Why is our new cloned server reflecting an old hostname?

SplunkTrust
SplunkTrust

You can correct the server name in the config without a reinstall.

However why not start with a clean install and just add the deployment client conf on cloned servers? You can start with auto accepting license and answer yes if required.

0 Karma