We are using a Horizon View 7 connection server to manage desktop virtual machines in multiple domains. We are using a single-instance Splunk Enterprise Server, with Splunk Universal Forwarders sending the data. All Horizon desktop pools are using Instant Clones method and are all based on snapshots of a single "Gold Image". The desktop pools have different naming conventions, but the VMs are named with consistent prefixes within their own pools. For example:
devel-01, devel-02, etc. for the "devel" pool in the "devel" domain
prod-01, prod-02, etc. for the "prod" pool in the "prod" domain
For all other applications, this has been a great way to reduce administrative overhead, but Splunk Universal Forwarder is giving me fits. I need both the hostname AND the index to be dynamic. I have tried configuring the Gold Image with the "splunk clone-prep-clear-config" command, but that only affects hostname. I want these desktops to send data to pools specifically for their domains. Basically, I want to end up with an $SPLUNK_HOME/etc/system/local/inputs.conf that dynamically assigns the host name and index values based on which desktop it is running on. Something that looks like:
[default]
host = domain-number
index = domain
Can the Splunk Universal Forwarder be incorporated into a clone image in this manner?
... View more