Getting Data In

How to set hostname for the Splunk Windows Universal Forwarder

OldManEd
Builder

When I installed the Splunk Universal Forwarder for Windows, the inputs.conf file has the stanza;

[default]
host = <actual host name>

I want to make the Splunk Forwarder directories on this server part of an image to load onto other servers. So what do I change this stanza to, if anything, to get it to use the name of the server that it's being loaded on?

0 Karma
1 Solution

woodcock
Esteemed Legend

Just delete the host= line from the file in your master image and splunk will automatically figure it out when you deploy the file and (re)start splunk.

View solution in original post

0 Karma

mtranchita
Communicator

In the spec, found at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
it shows that the value in system/default/inputs.conf is $decideOnStartup
On first run this will write to system/local. You can prestage that value in the system/local (or override system/default with an app) so that the UF polls the OS every time it starts.

woodcock
Esteemed Legend

Just delete the host= line from the file in your master image and splunk will automatically figure it out when you deploy the file and (re)start splunk.

0 Karma

OldManEd
Builder

This seemed to work. I commented out the "host =" and "serverName =" lines in the "inputs.conf" and "server.conf" files respectively and the Forwarder serrvice did start this time and it was named correctly in the Deployment server when it "Phoned Home". But I noticed that the "inputs.conf" and "server.conf" files were not updated. I assume the Splunk Forwarder is looking someplace else for the default server name.

Anyway, thanks.

0 Karma

OldManEd
Builder

I just noticed that in the same directory, in the server.conf file, I have the following stanza;

[general]
pass4SymmKey = <Pass key number>
serverName = <actual host name>

I'm going to have to change that also. But to what?

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...