Solved: splunk enterprise 7 acting very wierd

ranjitbrhm1 · ‎05-08-2018

I am configuring a splunk 7.1 with the latest universal forwarder. Now something very very weird is happening.
When i come to the forwarder management page there is at most 2 clients listed on the page. And every time i refresh 1-2 clients come list on screen then disappear. I was for ever checking what is going on with my clients and why they are not connecting with my splunk instance. But whats happening is i can actually see all the apps getting deployed on to ALL the clients irrespective of the clients being listed on the forwarder manager or not. Is this a bug or something im doing wrong? I have a splunk 6.5 running concurrently and it is listing all the forwarders normally. The second image ive attached actually lists the clients on the filter tab. So basically i selected them and splunk forwarded apps as default. So thats whats confusing me the most. Its all working. BUT nothing gets listed on screen.

ranjitbrhm1 · ‎05-08-2018

I eventually figured out what exactly was wrong here. I was spinning up VM's left and right with the default settings. So one settings which didn't occur to me was the hostname itself. So when i finished spinning up all the new servers, All the servers had the same hostname with different IP's. So according to the documentation, If UF's are not given a specific username during installation, then they will "Calculate" a hostname by themselves. Sooo when all the different servers with different IP addresses but the same hostname for splunk UF and the base server host name (In my case i left this as ubuntu which is the default settings for ubuntu server) connects to the forwarder this is what happens. Everything will work as normal but they will not get listed on screen. SO lets say 1 server with hostname Ubuntu connects to the DF, then it shows and when the second connects, the first one disappear and the second one appears. Sometimes 2 servers appears together but never more. I think its the way splunk is built. It dissects servers based on hostname and UF hostname and not with IP address. If this strange thing occurs to any of you fellow splunkers, then just check the hostnames first. I guess this kind of things only happens in lab environment. But still, Good to know information.
/R

View solution in original post

ranjitbrhm1 · ‎05-08-2018

I eventually figured out what exactly was wrong here. I was spinning up VM's left and right with the default settings. So one settings which didn't occur to me was the hostname itself. So when i finished spinning up all the new servers, All the servers had the same hostname with different IP's. So according to the documentation, If UF's are not given a specific username during installation, then they will "Calculate" a hostname by themselves. Sooo when all the different servers with different IP addresses but the same hostname for splunk UF and the base server host name (In my case i left this as ubuntu which is the default settings for ubuntu server) connects to the forwarder this is what happens. Everything will work as normal but they will not get listed on screen. SO lets say 1 server with hostname Ubuntu connects to the DF, then it shows and when the second connects, the first one disappear and the second one appears. Sometimes 2 servers appears together but never more. I think its the way splunk is built. It dissects servers based on hostname and UF hostname and not with IP address. If this strange thing occurs to any of you fellow splunkers, then just check the hostnames first. I guess this kind of things only happens in lab environment. But still, Good to know information.
/R

splunk enterprise 7 acting very wierd

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor