Solved: Re: Does splunk clean all remove server names?

kenoski · ‎03-16-2016

We are trying to put our Splunk Indexer on a Windows system image.

Based on the documentation, stopping the Splunk service and issuing the .\splunk clean all command should clean out everything so the system image can be sysprep'd and in the future reimaged elsewhere.

When we do this we see that the original server name still exists in the cloned image upon startup.

Shouldn't the clean all command clean out the following?

1) var\log\splunk\ directory
2) var\lib\splunk\* directories
3) var\run\splunk* directory

I'm guessing that even if it did the above directories, that it would be some manual effort to clean out the following user/app directories:
1) etc\apps\splunk_management_console\lookups\assets.csv
2) etc\users\admin\launcher\history.csv
3) etc\users\admin\search\history.csv
4) etc\users\admin\splunk_app_windows_infrastructure\history.csv

I don't think the users\admin directories would cause problems, but the splunk_management_console lookup file now has the template windows image server name in its assets file, when it wont exist in the deployment.

So would the best practice be to search for the template server name anywhere in the splunk deployment prior to running sysprep cloning the image?

thx.

martin_mueller · ‎03-16-2016

You'll want to run this:

./splunk clone-prep-clear-config

http://docs.splunk.com/Documentation/Splunk/6.3.3/Forwarding/Makeadfpartofasystemimage

View solution in original post

martin_mueller · ‎03-16-2016

You'll want to run this:

./splunk clone-prep-clear-config

http://docs.splunk.com/Documentation/Splunk/6.3.3/Forwarding/Makeadfpartofasystemimage

kenoski · ‎03-16-2016

Does this work for an indexer also?

kmjefferson42 · ‎01-06-2019

I am also interested to know if this will work on an Splunk Enterprise Indexer. I am currently working in deploying Splunk Enterprise Hyper-V VMs and have run into an issue with the Monitoring Console. When attempting to look at "Instance" specific resource usage all of the data fields are empty. It appears the instance is still showing from the original installation. I have updated the OS Host name and the Splunk server name through the gui and also manually checked/updated in the server.conf and one or two other .conf files (I can't remember off hand).

I will try running this script tomorrow when back in the office and see if it updates the "instance" on the Monitoring Console.

I'll update my finding tomorrow.

Anyone with any insight on this please chime in!!

Thanks, Ken

martin_mueller · ‎03-16-2016

Never tried, but I don't see why not. The help text says this on a full instance:

Clear a Splunk instance of instance-unique config parameters, which are normally
created on initial startup (first-time run, "ftr").  Intended for use after an
instance has been cloned (i.e. all its files simply copied) from another instance.

kenoski · ‎03-17-2016

Thanks for the help.

Maybe someone from Splunk Support can provide an updated way to prepare a full Splunk Enterprise installation for cloning....what they have in the Admin manual is missing this important step.

I wonder what else is missing?

martin_mueller · ‎03-17-2016

For docs feedback, make sure to use the feedback form at the bottom of the docs page.

Does splunk clean all remove server names?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk