We have a server class configuration that looks something like this:   [serverClass:ewda_nonprod_rw] blacklist.0 = eon-prod* whitelist.0 = eon-test* whitelist.1 = eon-* [serverClass:ewda_nonprod_rw:app:ewda_nonprod_rw] #restartSplunkWeb = 0 restartSplunkd = 1 stateOnClient = enabled     After installing the Splunk Universal Forwarder, if I rename a Windows Server computer to eon-avt-api-i-xxxxxxxxxx, set the default hostname in  C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf to the same name, and restart the Splunk service then the ewda_nonprod_rw app will be deployed to the computer and all the correct logs will be shown in Splunk Cloud under the hostname eon-avt-api-i-xxxxxxxxxx.   We no longer want to rename the computer to match the hostname we want to use for Splunk but I can not get the ewda_nonprod_rw to be deployed to client without renaming the computer. If I do not rename the computer and only set the default hostname in  C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf to eon-avt-api-i-xxxxxxxxxx and restart the Splunk service then the ewda_nonprod_rw app will not be deployed to the computer and the only logs available in Splunk Cloud under the hostname eon-avt-api-i-xxxxxxxxxx  are from the default splunkd and wineventlog sourcetypes. I have also tried setting the server.conf file's serverName to eon-avt-api-i-xxxxxxxxxx with no luck. ... View more

Our company's IT/Ops team manages a Splunk Cloud server and they have set up various custom apps for our different services, one such app has all the monitors and other configuration necessary for a specific API's logs to be included in the Splunk Cloud.   In the past, after installing SplunkUniversalForwarder we have been able to rename a computer (EC2 Instance running Windows Server), set the C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf file to use the computer's name as the default hostname, and restart the Splunk service and then the custom app folder would automatically be deployed to C:\Program Files\SplunkUniversalForwarder\etc\apps and all the API logs would show up just fine in Splunk Cloud.   We do not want to rename the computers anymore, though, but if I set the inputs.conf with a default hostname that is different than the computer's name and then restart the Splunk service then it will not deploy the custom app folder and the API's logs will not be accessible in Splunk Cloud. The hostname is confirmed to be working, though, because it will start showing Splunk logs (from sourcetype "splunkd") in Splunk Cloud with the host name set in the inputs.conf file.   I could manually add monitors to the inputs.conf file, but then I guess our It/Ops won't be able to administer changes via the app. So, is it possible to download that custom app without renaming the computers? ... View more