How to instruct Splunk Ent. to ignore sending alerts about missing Forwarders?


During my health checks I usually get a list of missing forwarders, I have found that these forwarders were on a few de-commissioned servers that are no longer around. But Splunk repeats the missing FWs. How do I tell it to ignore certain FWs reporting

Labels (1)
Tags (1)
0 Karma

Splunk Employee
Splunk Employee

You should be able to remove these zombies by rebuilding the forwarder assets lookup


Monitoring Console -> Settings -> Forwarder Monitoring Setup -> Rebuild forwarder assets



If you want to disable the alerts completely, read up here