All Apps and Add-ons
Highlighted

Why are there decommissioned instances listed in the S.o.S. pulldown for "server to query?"

Engager

Why am I seeing decommissioned instances (i.e. search peers, forwarders) in the S.o.S. pulldowns and deployment topology view?

Highlighted

Re: Why are there decommissioned instances listed in the S.o.S. pulldown for "server to query?"

Splunk Employee
Splunk Employee

The S.o.S app maintains its asset tables in lookups files:

$SPLUNK_HOME/etc/apps/sos/lookups/splunk_servers_cache.csv
$SPLUNK_HOME/etc/apps/sos/lookups/splunk_forwarders_cache.csv

To find out more about these lookup tables, I recommend to read the in-view help (accessible using the "Learn More" button) for the Deployment Topology view as well as the $SPLUNK_HOME/etc/apps/sos/lookups/splunk_servers_cache.csv.spec file.

Note that this maintenance of the lookup table only involves adding or updating records - S.o.S will not automatically remove entries of hosts that are no longer reachable.

If you decommissioned search peers, you'll need to edit the $SPLUNK_HOME/etc/apps/sos/lookups/splunk_servers_cache.csv lookup file to manually remove the entries corresponding to those instances.

Highlighted

Re: Why are there decommissioned instances listed in the S.o.S. pulldown for "server to query?"

Path Finder

How this file $SPLUNKHOME/etc/apps/sos/lookups/splunkforwarders_cache.csv gets populated.
I see some incorrect hosts in that file
Can i delete the file and regenerate it.
How to regenerate this file ???

0 Karma