Hi, fellow Splunkers, being fairly new to splunk I'm a bit puzzled by the behaviour of the universal forwarder in our XenDesktop (7.5) environment. Before sealing the golden image I prepped the forwarder according to the information in this forum, after stopping and disabling the universalforwarder service, using ./splunk clone-prep-clear-config (this service is re-enabled by means of a GPO on the target OU the cloned AD-computerobjects are spawned in). Yesterday I ran a first test of this mechanism, and what strikes me, is that : all clone-VDI's are using the same GUID. all events are indexed, using the hostname of the master VDI that was used to create the clones. The computername-field of the indexed log-entries contains the true name of the VDI though. the clone-VDI's all have a connected forwarder (as can be confirmed when using netstat -o on the deployment server) the master VDI does not have a forwarder connection in 'forwarder management' - as could be expected What is going on here ? Is the creation of the GUID partly based on fixed parameters that -shortly after spawning a computer from a snapshot- will not have been randomized ? What is wrong with the content of the host-field, when the computername-field is adjusted ? When I rerun the command to remove the guid from the universalforwarder on the master-VDI, no feedback is given. I interpret that being a conformation the info was stripped already. Thanks in advance, Erik Bakker the Netherlands. ... View more