Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk configured with new VMs

trent6
Explorer
‎05-18-2010 03:53 PM

I am attempting to setup Splunk on a VM that will become a VM template. I have run sysprep and made it a template. I create a new VM from the template, and it receives new machine name and IP address. The problem is that when it reports to Splunk, it has shows up under the old Hostname entry. I see current entries that state : Host: oldName , Computername: oldName and other entries that state Host: oldName, Computername: newName

We are forwarding Windows event logs to a master Listener. I see at least 3 places where the machine name is configured. Inputs.conf and 2 different server.conf files. What is the best way for us to automate this?

Thanks, Trent

Tags (1)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-19-2010 12:08 PM

The right way to do this would be to remove the generated files that have the host name (there are only two: server.conf and inputs.conf) and force Splunk to regenerate this with the first-time run process. Unfortunately I don't know how to force this. So instead:

With server.conf, you can actually simply replace it with one that uses the $HOSTNAME environment variable:

serverName = $HOSTNAME

instead of a literal hostname. However, as of the current version (4.1.2) this doesn't work in inputs.conf, leaving you with the option of just generating a new one of those files yourself. It's not very hard, but it is an unnecessary pain in the ass.

Reply

thall79
Communicator
‎05-18-2010 04:38 PM

I had an SA clone solaris boxes that had Splunk forwarder installed and noticed the same thing. There was another question about this and I followed their ideas and removed the host=(servername) from the servers.conf and my servers were able to pick up the correct name.

Here is the link to the other topic:

http://answers.splunk.com/questions/794/how-to-change-hostname-of-a-splunk-server/807#807

So you could delete the setting and then make your template.

Travis.

Reply

trent6
Explorer
‎05-20-2010 12:54 PM

This solution worked. We've configure this into the template and created several new machines with no problems.

Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...