We have a server class configuration that looks something like this:
[serverClass:ewda_nonprod_rw]
blacklist.0 = eon-prod*
whitelist.0 = eon-test*
whitelist.1 = eon-*
[serverClass:ewda_nonprod_rw:app:ewda_nonprod_rw]
#restartSplunkWeb = 0
restartSplunkd = 1
stateOnClient = enabled
After installing the Splunk Universal Forwarder, if I rename a Windows Server computer to eon-avt-api-i-xxxxxxxxxx, set the default hostname in C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf to the same name, and restart the Splunk service then the ewda_nonprod_rw app will be deployed to the computer and all the correct logs will be shown in Splunk Cloud under the hostname eon-avt-api-i-xxxxxxxxxx.
We no longer want to rename the computer to match the hostname we want to use for Splunk but I can not get the ewda_nonprod_rw to be deployed to client without renaming the computer. If I do not rename the computer and only set the default hostname in C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf to eon-avt-api-i-xxxxxxxxxx and restart the Splunk service then the ewda_nonprod_rw app will not be deployed to the computer and the only logs available in Splunk Cloud under the hostname eon-avt-api-i-xxxxxxxxxx are from the default splunkd and wineventlog sourcetypes. I have also tried setting the server.conf file's serverName to eon-avt-api-i-xxxxxxxxxx with no luck.