Multiple updates

- Adjusted the date format in all Powershell scripts to include timezone offset
- Added more logic to dsRemove.ps1 to account for existing configurations on the host and removing all configurations at once
- Added a bailout if inputs.conf configurations are not present for dsReplace scripts
- Created inputs.conf.spec file to include new settings for correcting deployment server configurations

Author: codingWithJimmy

README/inputs.conf.spec

@@ -0,0 +1,15 @@
+## Configurations to pass btool checks without throwing errors
+
+[script:<uniqueName>]
+deploymentServerUri = [string]
+* Correct URI that should be configured
+
+deploymentClientApp = [string]
+* App name that contains the correct deploymentclient.conf configuration
+
+[powershell:<uniqueName>]
+deploymentServerUri = [string]
+* Correct URI that should be configured with port
+
+deploymentClientApp = [string]
+* App name that contains the correct deploymentclient.conf configuration

bin/dateTimeCorrect.ps1

@@ -4,7 +4,7 @@ $referenceDateTime = "$SPLUNKHOME\apps\SplunkForwarderRepairKit\datetime.xml"
 $restartDateTimeCheck = "$SPLUNKHOME\etc\restartdatetime.txt"
 
 ### Filter to attach timestamps where necessary
-filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff') ${env:COMPUTERNAME}: $_"}
+filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff zzz') ${env:COMPUTERNAME}: $_"}
 
 ### Check flags and take appropriate actions for host name
 if(Compare-Object -ReferenceObject $(Get-Content $existingDateTime) -DifferenceObject $(Get-Content $referenceDateTime)) {

bin/dsRemove.ps1

@@ -1,21 +1,57 @@
+### Grab variables from inputs.conf
+$BTOOL_INPUT = & $SPLUNKHOME\bin\splunk.exe cmd btool inputs list powershell://dsRemove --debug
+$SFRK_APP = ($BTOOL_INPUT -replace [regex]::Escape("$SPLUNKHOME\etc\apps\"),"" -replace "\\(default|local)\\inputs.conf","").Split(" ")[0]
+$CORRECT_DS_LINE = ($BTOOL_INPUT | findstr deploymentServerUri)
+$CORRECT_DS_APP_LINE = ($BTOOL_INPUT | findstr deploymentClientApp)
+$CORRECT_DS = ("$CORRECT_DS_LINE" -replace [regex]::Escape("$SPLUNKHOME\etc\apps\"),"").Split(" ")[3]
+$CORRECT_DS_APP = ("$CORRECT_DS_APP_LINE" -replace [regex]::Escape("$SPLUNKHOME\etc\apps\"),"").Split(" ")[3]
+
+if (!$CORRECT_DS) {
+  Write-output "deploymentServerUri not configured in inputs.conf" | timestamp
+  exit
+}
+
+if (!$CORRECT_DS_APP) {
+  Write-output "deploymentClientApp not configured in inputs.conf" | timestamp
+  exit
+}
+
 ### Configure file paths for the system
-$LOCAL = {$((Get-ChildItem -Path "$SPLUNKHOME\etc\system\local" -Include deploymentclient.conf -File -Recurse).Count)}
-$DEPLOYED = {$((Get-ChildItem -Path "$SPLUNKHOME\etc\apps" -Include deploymentclient.conf -File -Recurse).Count)}
+$LOCAL = $((Get-ChildItem -Path "$SPLUNKHOME\etc\system\local" -Include deploymentclient.conf -File -Recurse).Count)
+$DEPLOYED = $((Get-ChildItem -Path "$SPLUNKHOME\etc\apps" -Include deploymentclient.conf -File -Recurse).Count)
+$LIST_APPS = $(Get-ChildItem -Path "$SPLUNKHOME\etc\apps" -Include deploymentclient.conf -File -Recurse)
+$BAD_APPS = @(($LIST_APPS -replace "(deafult|local)\\deploymentclient.conf","").where{$_ -notmatch [regex]::Escape("$CORRECT_DS_APP") })
 $RESTART_CHECK = "$SPLUNKHOME\etc\restartds.txt"
 
 ### Filter to attach timestamps where necessary
-filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff') ${env:COMPUTERNAME}: $_"}
+filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff zzz') ${env:COMPUTERNAME}: $_"}
+
+## Capture the current configuration that Splunk is using from btool
+$BTOOL = & $SPLUNKHOME\bin\splunk.exe cmd btool deploymentclient list --debug | FINDSTR 'targetUri'
+$CURRENT_DS = ($BTOOL -replace [regex]::Escape("$SPLUNKHOME"),"").Split(" ")[3]
+$CURRENT_APP_PATH = "$SPLUNKHOME"+($BTOOL -replace [regex]::Escape("$SPLUNKHOME"),"" -replace "\\(deafult|local)\\deploymentclient.conf","").Split(" ")[0]
+$CURRENT_APP_NAME = ($CURRENT_APP_PATH -replace [regex]::Escape("$SPLUNKHOME\etc\apps\"),"")
 
 ### Check to see if there is a deploymentclient.conf file under $SPLUNKHOME\etc\apps and bail out if there isn't
 if ($DEPLOYED -eq "0") {
-    Write-output "No deploymentclient.conf detected in $SPLUNKHOME\etc\apps. Bailing out so the fowarder doesn't get orphaned." | timestamp
-} elseif ($DEPLOYED -gt "1") {
-    Write-output "Multiple deploymentclient.conf detected in $SPLUNKHOME\etc\apps. Check all deployed apps to ensure you\'re only using one." | timestamp
-} elseif ($LOCAL -eq "1" -AND $DEPLOYED -eq "1") {
-    ### Remove the local "deploymentclient.conf" and flag
-    Write-output "Removed deploymentclient.conf from local system." | timestamp
-    Remove-Item -Path "$LOCAL"
-    Out-File -FilePath "$RESTART_CHECK"
-} else {
-    Write-output "No deploymentclient.conf correction necessary." | timestamp
+  Write-output "No deploymentclient.conf detected in $SPLUNKHOME\etc\apps. Bailing out so the fowarder doesn't get orphaned." | timestamp
+  Write-output "Deploy $CORRECT_APP to this server to correct this issue." | timestamp
+}
+elseif ($DEPLOYED -gt "1") {
+  Write-output "Multiple deploymentclient.conf detected in $SPLUNKHOME\etc\apps." | timestamp
+  Write-output "Removing bad app(s) to ensure there is no contention with $CORRECT_DS_APP" | timestamp
+  foreach ($item in $BAD_APPS)
+  {
+    Remove-Item -Path "$item" -Force -Recurse -Confirm
+    Write-output "Removed app: $item" | timestamp
+  }
+  Out-File -FilePath "$RESTART_CHECK"
+}
+elseif ($LOCAL -eq "1" -AND $DEPLOYED -eq "1") {
+  Write-output "Removed deploymentclient.conf from local system." | timestamp
+  Remove-Item -Path "$LOCAL" -Force -Confirm
+  Out-File -FilePath "$RESTART_CHECK"
+}
+else {
+  Write-output "No deploymentclient.conf correction necessary." | timestamp
 }

bin/dsRemove.sh

@@ -6,33 +6,41 @@
 ### Look for a deploymentclient.conf file in the apps directory and define the path to the restartds.txt file
 CORRECT_APP_DEPLOYED=$(find $SPLUNK_HOME/etc/apps -type d -name ${CORRECT_APP} | wc -l)
 DEPLOYED_APP=$(find $SPLUNK_HOME/etc/apps -type f -name deploymentclient.conf | wc -l)
+BAD_APPS=($(find $SPLUNK_HOME/etc/apps -type f -name deploymentclient.conf | grep -v ${CORRECT_APP} | sed "s/\/(default|local)\/deploymentclient.conf//"))
 LOCAL=$(find $SPLUNK_HOME/etc/system/local -type f -name deploymentclient.conf | wc -l)
 RESTART_CHECK=$SPLUNK_HOME/etc/restartds.txt
 
 ## Capture the current deployment server URI from btool
 BTOOL=$(${SPLUNK_HOME}/bin/splunk btool deploymentclient list --debug | grep targetUri)
 CURRENT_DS=$(echo ${BTOOL} | awk '{print $4}')
-CURRENT_APP_PATH=$(echo ${BTOOL} | awk '{print $1}' | sed "s/\/(default|local)\/deploymentclient.conf//"
+CURRENT_APP_PATH=$(echo ${BTOOL} | awk '{print $1}' | sed "s/\/(default|local)\/deploymentclient.conf//")
 CURRENT_APP_NAME=$(echo ${CURRENT_APP_PATH} | sed "s|${SPLUNK_HOME}\/etc\/apps\/||")
 
+## Check for inputs configurations and bail out if they don't exist
+if [ -z "${CORRECT_DS}" ] || [ -z "${CORRECT_APP}" ]; then
+  echo "$(date -R) $HOSTNAME: Missing configurations in inputs.conf."
+  exit 1
+fi
+
 ## If there is no deployed app with a deployment client, bail out
 if [ $DEPLOYED_APP = "0" ]; then
   echo "$(date -R) $HOSTNAME: No deploymentclient.conf detected in $SPLUNK_HOME/etc/apps. Bailing out so the fowarder doesn\'t get orphaned."
-  echo "$(date -R) $HOSTNAME: Deploy \"${CURRENT_APP_NAME}\" to this server to correct this issue."
+  echo "$(date -R) $HOSTNAME: Deploy \"${CORRECT_APP}\" to this server to correct this issue."
   exit 1
 fi
 
 ## If more than one deploymentclient.conf file is deployed, nuke the wrong app and set the checkpoint file
 if [ $DEPLOYED_APP > "1" ]; then
   echo "$(date -R) $HOSTNAME: Multiple apps with deploymentclient.conf detected in $SPLUNK_HOME/etc/apps."
-  echo "$(date -R) $HOSTNAME: Removing ${CURRENT_APP_NAME} to ensure there is no contention with ${CORRECT_APP}"
-  rm -rf "${CURRENT_APP_PATH}"
+  echo "$(date -R) $HOSTNAME: Removing bad apps to ensure there is no contention with \"${CORRECT_APP}\""
+  for i in "${BAD_APPS[@]}"; do
+    rm -rf $i
+  done
   touch $RESTART_CHECK
 fi
 
 ## If there's 1 local config, remove the local one and set the checkpoint file
 if [ $LOCAL = "1" ]; then
-  # Remove the deploymentclient.conf from $SPLUNK_HOME/etc/system/local
   rm -f $SPLUNK_HOME/etc/system/local/deploymentclient.conf > /dev/null 2>&1
   echo $(date -R) $HOSTNAME: Removed deploymentclient.conf from local system.
   touch $RESTART_CHECK

bin/hostCorrect.ps1

@@ -6,7 +6,7 @@ $restartInputCheck = "$SPLUNKHOME\etc\restartinput.txt"
 $restartServerCheck = "$SPLUNKHOME\etc\restartserver.txt"
 
 ### Filter to attach timestamps where necessary
-filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff') ${env:COMPUTERNAME}: $_"}
+filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff zzz') ${env:COMPUTERNAME}: $_"}
 
 ### Compare values to actual host value and flag accordingly
 if (-not ($currentHost -eq $env:COMPUTERNAME)){

bin/regenGUID.ps1

@@ -4,7 +4,7 @@ $INSTANCE_CHECK = {$(Test-Path "$INSTANCE_FILE.*")}
 $RESTART_CHECK = "$SPLUNKHOME\etc\restartguid.txt"
 
 ### Filter to attach timestamps where necessary
-filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff') ${env:COMPUTERNAME}: $_"}
+filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff zzz') ${env:COMPUTERNAME}: $_"}
 
 ### Check to see if the GUID has already been replaced on this host previously by this script
 if ($INSTANCE_CHECK -eq "True") {
@@ -15,4 +15,4 @@ if ($INSTANCE_CHECK -eq "True") {
     Copy-Item -Path "$INSTANCE_FILE" -Destination "$INSTANCE_FILE.$(Get-Date -Format 'MMddyyyy').bak"
     Remove-Item -Path "$INSTANCE_FILE"
     Out-File -FilePath "$RESTART_CHECK"
-}
+}

bin/restart.ps1

@@ -11,7 +11,7 @@ $restartGUID = $(Test-Path "$SPLUNKHOME\etc\restartguid.txt" -PathType Leaf)
 $restartDateTime = $(Test-Path "$SPLUNKHOME\etc\restartdatetime.txt" -PathType Leaf)
 
 ### Filter to attach timestamps where necessary
-filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff') ${env:COMPUTERNAME}: $_"}
+filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff zzz') ${env:COMPUTERNAME}: $_"}
 
 if ($restartInput -eq "True" -OR $restartServer -eq "True" -OR $restartDS -eq "True" -OR $restartGUID -eq "True" -OR $restartDateTime -eq "True") {
 	Write-output "One or more settings has been changed." | timestamp

default/inputs.conf

@@ -52,14 +52,16 @@ sourcetype = ds_remove:output
 interval = -1
 source = ds_remove_output
 deploymentServerUri =
-deploymentClientApp = 
+deploymentClientApp =
 
 [powershell://dsRemove]
 disabled = 1
 index = _internal
 sourcetype = ds_remove:output
 source = ds_remove_output
 script = . "$SplunkHome\etc\apps\SplunkForwarderRepairKit\bin\dsRemove.ps1"
+deploymentServerUri =
+deploymentClientApp = 
 
 ### Scripts used to correct issues with datetime.xml
 ### https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020