| inputlookup dmc_forwarder_assets.csv | stats count by status and 25K are missing and 8K are active, in our case.
Is there a schedule search which adds regularly new phoned home forwarders to the lookup table?
What's the proper way to handle deletions from this lookup?
| rest splunk_server=local /services/deployment/server/clients | table hostname,ip on the deployment server I see 4.2K. Really weird.
Did you read this part of the doc (in relation to your replies to mus)
Click Monitoring Console > Settings > Forwarder Monitoring Setup and choose from several values for data collection interval. This interval determines how often that scheduled search runs. The default value is 15 minutes. When the scheduled search runs to rebuild the forwarder asset table it always looks back 15 minutes. This lookback time is not configurable, and it is different from the data collection interval. For example, if you set the data collection interval to 24 hours, the scheduled search will run once every 24 hours, but check only the 15 minutes before it starts running.
take a look here https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring#Rebuild_the_for... . If you click
rebuild forwarder assets ... under
/en-US/app/splunk_monitoring_console/monitoringconsole_forwarder_setup it starts the macro
dmc_re_build_forwarder_assets(1) in the background. So you could also just run this macro manually to reset the lookup, or schedule it as saved search.
Hope this helps ...
The thing is @MuS that we are terrified of this option, because we suspect that by rebuilding the asset table, we might lose forwarders that haven't phoned home for some time, so the internal decree is not to use the rebuild option.
From my colleague -
-- The approach we are leaning towards is simply having a scheduled search removing any forwarders which have not checked in within the past 90 days. With a scheduled search it’s automated and we don’t have to "manually" do anything. I have already updated the searches which the 'missing forwarders' are using so those forwarders which were simply re-installed (i.e. new GUID) are not falsely reported as missing.
Those are forwarders which have checked into the deployment server. That is different from how the dmc asset table works.
If you want to manually overwrite the table with your own search, be my guest. 😉
Otherwise see my comment on my answer.
As @jkat54 said: if you don't like the way it works, re-write the searches 😉
It might also be worth to actually post your solution here for others to benefit ?