Deployment Architecture

How to change hostname of a universal forwarder on VMs(XenDesktop Agent)

Takajian
Builder

I am attempting to setup Splunk on a VM that will become a VM(XenDesktop) template. I create a new VM from the template, and it receives new machine name and IP address.
The problem is that when it reports to Splunk, it has shows up under the old Hostname entry.

I checked the following answer.

http://splunk-base.splunk.com/answers/794/how-to-change-hostname-of-a-splunk-server#807

$SPLUNK_HOME/etc/system/local/inputs.conf and $SPLUNK_HOME/etc/system/local/server.conf.

I read "These files are generated the first time Splunk is run after installation." on above answer,
but I am using 4.2.3 universal forwarder. These files were created automatically during the installation.
If I delete inputs.conf after the installation, splunk does not create it again automatically. So, copied VMs use old hostname.

Please help!

Tags (1)
1 Solution

elusive
Splunk Employee
Splunk Employee

it is true that if you delete inputs.conf and restart, Splunk 4.2.x Universal Forwarder will not recreate inputs.conf. the solution is to tell Splunk that this is a new installation. In order to do this, here is the solution:

1. stop UF splunk.
2. delete server.conf and inputs.conf in etc/system/local
3. create a file named ftr in $SPLUNK_HOME directory ("touch ftr" in non-windows or "fsutil file createnew c:\Program Files\SplunkUniversalForwarder\ftr 0" in windows)
4. delete splunkd.xml in $SPLUNK_HOME/etc/myinstall
5. start UF splunk

This basically telling Splunk that this is a new instance so create server.conf and inputs.conf, but keep the configurations you have already deployed with. (upon a start, splunk will create splunkd.xml as well).

You can create a script that will do the above on all of the VM Splunk UF instances.

View solution in original post

dkiss
New Member

I've had the same problem. I solved it in the way that dshpritz mentioned above. Here is my solution in powershell:

$hostname = hostname
$Path = 'C:\Program Files\SplunkUniversalForwarder\etc\system\local\'
$inputs = 'inputs.conf'
$server = 'server.conf'
if(Test-Path ($Path + $inputs)){
    "[default]`nhost = $($hostname)" | Out-File ($Path + $inputs)
    Remove-Item ($Path + $server)
}
Stop-Service SplunkForwarder -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
Start-Service SplunkForwarder -ErrorAction SilentlyContinue -WarningAction SilentlyContinue

It works like a charm.

Thanks and Greetings,
David

0 Karma

xavierashe
Contributor

I came across this question a few years later. Here's an updated answer for 2017 and UF version 6.6.x

All you have to do is delete server.conf and inputs.conf and restart your UF. I run a search of all servers that are in my CBDB, but not in Splunk. I then run this script on all of them:

if exist "C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf" (
    del /F "C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf"
    del /F "C:\Program Files\SplunkUniversalForwarder\etc\system\local\server.conf"
) else (
    start /wait msiexec /i \\myserver\splunk\splunkforwarder-6.6.2-4b804538c686-x64-release.msi SERVICESTARTTYPE=auto AGREETOLICENSE=Yes /quiet
    xcopy "\\myserver\splunk\*.*" "C:\Program Files\SplunkUniversalForwarder\etc\apps" /S
)
sc stop splunkforwarder
sc start splunkforwarder
0 Karma

elusive
Splunk Employee
Splunk Employee

it is true that if you delete inputs.conf and restart, Splunk 4.2.x Universal Forwarder will not recreate inputs.conf. the solution is to tell Splunk that this is a new installation. In order to do this, here is the solution:

1. stop UF splunk.
2. delete server.conf and inputs.conf in etc/system/local
3. create a file named ftr in $SPLUNK_HOME directory ("touch ftr" in non-windows or "fsutil file createnew c:\Program Files\SplunkUniversalForwarder\ftr 0" in windows)
4. delete splunkd.xml in $SPLUNK_HOME/etc/myinstall
5. start UF splunk

This basically telling Splunk that this is a new instance so create server.conf and inputs.conf, but keep the configurations you have already deployed with. (upon a start, splunk will create splunkd.xml as well).

You can create a script that will do the above on all of the VM Splunk UF instances.

Takajian
Builder

Yes, I know that server.conf is regenerated if I delete it and restart splunk. But $SPLUNK_HOME/etc/system/local/server.conf is not regenerated. The inputs.conf was created once while UF installation. Please note that we do not have windows GPO environment either, so I need to resolve this by splunk itself. Do you know about $SPLUNK_HOME/etc/system/local/server.conf ?

0 Karma

NaraSplunk
Explorer

the power of the cloud 😞

0 Karma

dshpritz
SplunkTrust
SplunkTrust

You may want to try removing or editing the "serverName=" line in $SPLUNK_HOME/etc/system/local/server.conf. That way the UF will recalculate the serverName.

Thanks,

Dave

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...