In my environment we make clones of our linux servers so that we don't have to build out a server from scratch for every new project. On my master image, I have configured a splunk forwarder to splunk to our indexer. My question is as I now make a clone for a particular project, all future clones will show up with the same hostname. How do I go about modifying the clone to reflect their new hostnames? Is it a matter of changing configuration files, or some splunk commands against the database? Are there any other considerations to take into account?
Before you make a backup/clone, remove "host=" parameter in inputs.conf in local bundles (also check that other configuration file does not contain host= parameter as well). When Splunk starts up on cloned client machine, it should pick up the local machine name and forward it to the indexer.
In a vanilla Splunk configuration (version 4.0), there are only two files that contain the host name: $SPLUNK_HOME/etc/system/local/inputs.conf and $SPLUNK_HOME/etc/system/local/server.conf. These files are generated the first time Splunk is run after installation.