App is not deployed to client if the computer name...

aaronvt · ‎06-25-2021

We have a server class configuration that looks something like this:

[serverClass:ewda_nonprod_rw]
blacklist.0 = eon-prod*
whitelist.0 = eon-test*
whitelist.1 = eon-*

[serverClass:ewda_nonprod_rw:app:ewda_nonprod_rw]
#restartSplunkWeb = 0
restartSplunkd = 1
stateOnClient = enabled

After installing the Splunk Universal Forwarder, if I rename a Windows Server computer to eon-avt-api-i-xxxxxxxxxx, set the default hostname in C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf to the same name, and restart the Splunk service then the ewda_nonprod_rw app will be deployed to the computer and all the correct logs will be shown in Splunk Cloud under the hostname eon-avt-api-i-xxxxxxxxxx.

We no longer want to rename the computer to match the hostname we want to use for Splunk but I can not get the ewda_nonprod_rw to be deployed to client without renaming the computer. If I do not rename the computer and only set the default hostname in C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf to eon-avt-api-i-xxxxxxxxxx and restart the Splunk service then the ewda_nonprod_rw app will not be deployed to the computer and the only logs available in Splunk Cloud under the hostname eon-avt-api-i-xxxxxxxxxx are from the default splunkd and wineventlog sourcetypes. I have also tried setting the server.conf file's serverName to eon-avt-api-i-xxxxxxxxxx with no luck.

App is not deployed to client if the computer name does not match the Splunk hostname.

configuration

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases