Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk configured with new VMs

trent6
Explorer
‎05-18-2010 03:53 PM

I am attempting to setup Splunk on a VM that will become a VM template. I have run sysprep and made it a template. I create a new VM from the template, and it receives new machine name and IP address. The problem is that when it reports to Splunk, it has shows up under the old Hostname entry. I see current entries that state : Host: oldName , Computername: oldName and other entries that state Host: oldName, Computername: newName

We are forwarding Windows event logs to a master Listener. I see at least 3 places where the machine name is configured. Inputs.conf and 2 different server.conf files. What is the best way for us to automate this?

Thanks, Trent

Tags (1)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-19-2010 12:08 PM

The right way to do this would be to remove the generated files that have the host name (there are only two: server.conf and inputs.conf) and force Splunk to regenerate this with the first-time run process. Unfortunately I don't know how to force this. So instead:

With server.conf, you can actually simply replace it with one that uses the $HOSTNAME environment variable:

serverName = $HOSTNAME

instead of a literal hostname. However, as of the current version (4.1.2) this doesn't work in inputs.conf, leaving you with the option of just generating a new one of those files yourself. It's not very hard, but it is an unnecessary pain in the ass.

Reply

thall79
Communicator
‎05-18-2010 04:38 PM

I had an SA clone solaris boxes that had Splunk forwarder installed and noticed the same thing. There was another question about this and I followed their ideas and removed the host=(servername) from the servers.conf and my servers were able to pick up the correct name.

Here is the link to the other topic:

http://answers.splunk.com/questions/794/how-to-change-hostname-of-a-splunk-server/807#807

So you could delete the setting and then make your template.

Travis.

Reply

trent6
Explorer
‎05-20-2010 12:54 PM

This solution worked. We've configure this into the template and created several new machines with no problems.

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...