Hi, fellow Splunkers,
being fairly new to splunk I'm a bit puzzled by the behaviour of the universal forwarder in our XenDesktop (7.5) environment.
Before sealing the golden image I prepped the forwarder according to the information in this forum, after stopping and disabling the universalforwarder service, using ./splunk clone-prep-clear-config (this service is re-enabled by means of a GPO on the target OU the cloned AD-computerobjects are spawned in).
Yesterday I ran a first test of this mechanism, and what strikes me, is that :
What is going on here ? Is the creation of the GUID partly based on fixed parameters that -shortly after spawning a computer from a snapshot- will not have been randomized ? What is wrong with the content of the host-field, when the computername-field is adjusted ?
When I rerun the command to remove the guid from the universalforwarder on the master-VDI, no feedback is given. I interpret that being a conformation the info was stripped already.
Thanks in advance,
Erik Bakker
the Netherlands.
How i configured my systems for MCS/PVS
Start task, executes 1 minutes after system startup
C:
CD C:(install folder)\bin
C:(install folder)\bin\splunk.exe stop
splunkd rest POST /services/server/settings/settings host=%COMPUTERNAME%
splunkd rest POST /services/server/settings/settings serverName=%COMPUTERNAME%
C:(install folder)\bin\splunk.exe start
,How i configured my systems for MCS/PVS
Start task, executes 1 minutes after system startup
C:
CD C:(install folder)\bin
C:(install folder)\bin\splunk.exe stop
splunkd rest POST /services/server/settings/settings host=%COMPUTERNAME%
splunkd rest POST /services/server/settings/settings serverName=%COMPUTERNAME%
C:(install folder)\bin\splunk.exe start
Apparently this was caused by not using the correct snapshot as a basis for the MCS clones. In the used snapshot the removal of the GUID did not take place.
Erik Bakker
the Netherlands
We run the following on the Gold Image
• Stop the service SplunkForwarder (but leave the start type at automatic)
• Open an administrative command prompt
• Run the command: C:\Program Files\SplunkUniversalForwarder\bin\splunk clone-prep-clear-config
• Prepare the machine for cloning as necessary, and we didn't reboot them
This works fine, each server is correctly visible on Splunk.
We boot all our servers each weekend.
After the reboot we receive around 10GB, and all other day's around 2 GB
Why did he collect each week all data again?