Is there a way to assign permissions to Splunk users that will allow them access to delete old forwarders from Forwarder Management and rebuild the forwarder assets under Monitoring Console, but not grant them full admin rights to the rest of the system? I'm looking to get granular on the admin permissions, as different shifts will be responsible for updating the forwarders list as servers are commed and decommed.
We're on Splunk Enterprise 7.0.2 with a distributed environment with a dedicated deployment server.
when you say "delete" from forwarder management, do you mean to remove the name of the forwarder that appears as down or not phoned home for a while?
as for the forwarders list under MC, not sure why manually do so as it updates every interval you set ...
can you elaborate a little on your use case and the drive behind it?
We have an alert that fires off every hour if any forwarders are "missing" ie not current (out of box "DMC Alert - Missing forwarders").
When a server is decommed in our environment, the client instance in Forwarder Management alerts as not having phoned home. We have to then go in and "delete" the entry in Forwarder Management, and then also rebuild the forwarder assets in Monitoring Console. If we don't do the latter, we continue to get the missing forwarders alert, even if it's been deleted from Forwarder Management.
What I'm looking for are the permissions required to manually complete these two tasks. If the "DMC Forwarder - Build Asset Table" report (which we have enabled) is supposed to clean up the table, then it's not working. If I don't get notified of a decomm, then the forwarder goes missing, and I have to log in to delete it and rebuild. I'm looking to give that ability to others as well.
If there's another functionality available that will automate the process, that'd be great, too. But our previous admin said it had to be done manually.