Archive

How do you remove a "missing forwarder"

Explorer

I setup notifications within the Deployment Monitor to alert me when there are "missing forwarders". How do I remove forwarders that no longer exist, ie the server has been decommissioned? According to http://www.splunk.com/base/Documentation/latest/Deploy/Drillfordetails I should be able to "click the button Clear old forwarders" on the (I assume) All Forwarders page. However that button doesn't exist in my installation. I'm running 4.2.

Path Finder

Hi Splunkers,

if you have removed or you have uninstalled existing forwarder instances you can remove them from the "missing forwarders" list in the DMC / MC using the "Rebuild Forwarder Assets" button.

http://docs.splunk.com/Documentation/Splunk/6.5.0/DMC/Configureforwardermonitoring#Rebuild_the_forwa...

To remove all their data you can use the |delete command or you can clean the entire index like described in the documentation.

0 Karma

New Member

My situation is I have installed Splunk Forwarder on some of the development servers at the begining. Now i have uninstall the forwarder becasue of the license limitation. How can I remove all the information, including the index for those non-existing forwarders on the splunk server. They are all windows servers.

Thanks!

Joy

0 Karma

Splunk Employee
Splunk Employee

If a forwarder is in "quiet" status, that means it's not sending data, but it is still sending a heartbeat to its receiving indexer. So that forwarder does exist in your deployment.

If you want to get rid of a forwarder entirely, you'll need to uninstall it from whatever box it's on. The deployment monitor app only monitors; you can't use it to make changes to your deployment.

There are a number of reasons why a missing forwarder could change to a quiet forwarder. For example, perhaps there was a network interruption, or maybe the machine the forwarder resides on went down but has now restarted.

In case my previous answer confused you by talking about "automatic removal", let me clarify. I meant that, if the forwarder has gone missing, its listing will (eventually) get automatically removed from the monitor app. The forwarder itself doesn't get automatically uninstalled.

0 Karma

Explorer

Is this automatic removal in 4.2.1? Because we just deployed 4.2 and at first we had a missing legacy forwarder and now it is still there but 'current status' says quiet. We can't get rid of it.

0 Karma

Splunk Employee
Splunk Employee

The deployment monitor app will now automatically remove any missing forwarders within a 24-hour period after they go missing. Users no longer need to clear the old forwarders themselves.

This is due to a fairly recent optimization in the underlying behavior of the app. Since old forwarders now get automatically cleared, there's no longer a need for that button and so it got removed from the UI. In about one minute, the button will be leaving the documentation as well. Thanks for catching this!

Explorer

In Splunk 6.5, this isn't enabled (at least not by default). As btiggemann posted, you need to use the "Rebuild Forwarder Assets" button: http://docs.splunk.com/Documentation/Splunk/6.5.0/DMC/Configureforwardermonitoring#Rebuild_the_forwa...

Explorer

Is there any way to disable this automatic behavior and go back to a manual one? For example, if a system in my production environment stops forwarding, I want to know vs. Splunk quietly moving on.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!