Reporting

Splunk configured with new VMs

trent6
Explorer

I am attempting to setup Splunk on a VM that will become a VM template. I have run sysprep and made it a template. I create a new VM from the template, and it receives new machine name and IP address. The problem is that when it reports to Splunk, it has shows up under the old Hostname entry. I see current entries that state : Host: oldName , Computername: oldName and other entries that state Host: oldName, Computername: newName

We are forwarding Windows event logs to a master Listener. I see at least 3 places where the machine name is configured. Inputs.conf and 2 different server.conf files. What is the best way for us to automate this?

Thanks, Trent

Tags (1)

gkanapathy
Splunk Employee
Splunk Employee

The right way to do this would be to remove the generated files that have the host name (there are only two: server.conf and inputs.conf) and force Splunk to regenerate this with the first-time run process. Unfortunately I don't know how to force this. So instead:

With server.conf, you can actually simply replace it with one that uses the $HOSTNAME environment variable:

serverName = $HOSTNAME

instead of a literal hostname. However, as of the current version (4.1.2) this doesn't work in inputs.conf, leaving you with the option of just generating a new one of those files yourself. It's not very hard, but it is an unnecessary pain in the ass.

thall79
Communicator

I had an SA clone solaris boxes that had Splunk forwarder installed and noticed the same thing. There was another question about this and I followed their ideas and removed the host=(servername) from the servers.conf and my servers were able to pick up the correct name.

Here is the link to the other topic:

http://answers.splunk.com/questions/794/how-to-change-hostname-of-a-splunk-server/807#807

So you could delete the setting and then make your template.

Travis.

trent6
Explorer

This solution worked. We've configure this into the template and created several new machines with no problems.

Thanks

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...