Issue
As someone mentioned in the Splunk forum:
$decideonstartup just would not work for me.
The splunk daemon is supposed to set the value automatically:
Note: By default, the host attribute is set to the variable $decideOnStartup, which means that it's set to the hostname of the machine splunkd is running on. The splunk daemon re-interprets the value each time it starts up.
But it just stayed as host=$decideonstartup for me.
What's the best way to set this value when configuring Splunk via an AWS SSM Document?
Solution
Use the EC2 instance metadata service:
$token = Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token-ttl-seconds" = "21600"} -Method PUT –Uri http://169.254.169.254/latest/api/token
$ip = Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token" = $token} -Method GET -Uri http://169.254.169.254/latest/meta-data/local-ipv4
And then you can insert the EC2 instance IP into the inputs.conf file host=$ip, assuming you're building the inputs.conf file within the SSM document.
Answered By - Yann Stoneman Answer Checked By - Dawn Plyler (WPSolving Volunteer)