Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is our new cloned server reflecting an old hostname?

teddyidc1101
Communicator
‎08-24-2018 08:39 AM

We have a server that was cloned to that have a different hostname. The old server was shutdown and the team is now using the new server with a different hostname. Looking at DS, the name of the host is still the same as the old one. Looking at the events from the new cloned server, its still showing the old server name before it was cloned.

We wanted to reflect the new hostname. should we delete the server as client and make it as client again by restarting the forwarder? it should reflect the new hostname, right?

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎08-25-2018 08:52 PM

Restarting the forwarder alone will not be enough as by default Splunk uses the hostname at installation time and records it in the relevant $SPLUNK_HOME/etc/system/local/*.conf files

In addition to the comments around $SPLUNK_HOME//etc/system/local/inputs.conf also check the server.conf, finally, deploymentclient.conf does not by default have a hardcoded hostname but it can.

You can more or less run grep in $SPLUNK_HOME/etc/system/local for your old hostname to find all the files...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

harryc42
Explorer
‎09-26-2022 05:17 PM

Not quite the same - but my cloned boxes were not coming up in the queries - in the end had to update rev-DNS for them as the host group was defined by hostname .

0 Karma
Reply

teddyidc1101
Communicator
‎08-26-2018 05:54 PM

Thank you for you response!

We already checked the deploymentclient.conf and its pointing to the correct DS where the server is a client but with the old server name. Will check the server.conf as well.
Does it mean that we have to reinstall Splunk to get the correct hostname for the server and deleting and redefining as client will no be enough?

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎08-26-2018 06:35 PM

You can correct the server name in the config without a reinstall.

However why not start with a clean install and just add the deployment client conf on cloned servers? You can start with auto accepting license and answer yes if required.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎08-26-2018 06:33 PM

I would just update the deployment.conf and server.conf files with the new host name. And then restart the Splunk forwarder.

0 Karma
Reply

sudosplunk
Motivator
‎08-24-2018 12:43 PM

Check hostname in inputs.conf under $SPLUNK_HOME/etc/system/local directory on UF. Chances are this file might still have old hostname.

0 Karma
Reply

teddyidc1101
Communicator
‎08-26-2018 05:46 PM

Thank you for your responses..

We checked the inputs.conf but we do not see reference to the old name. Is it correct to override the host name? We wanted it to be dynamic where it gathers the actual name and not assigning it....

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎08-24-2018 07:29 PM

@nittala_surya is correct.

In /opt/splunk/etc/system/local/inputs.conf

[default]
host = myhost.mycompany.com

We had this problem when people would rename servers after Splunk was installed but not update this file.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...