A single forwarder has multiple GUIDs Splunk v7

agarws8 · ‎09-30-2019

On the forwarder management, I was missing a client (which is indexing data and showing in search as well)
That same client/forwarder appears under the monitoring console forwarders.

I followed the below link and deleted instance.cfg and then restarted my forwarder.
https://answers.splunk.com/answers/694188/why-is-our-universal-forwarder-not-visible-in-the.html

Now I have 4 forwarders of the same host (different guids) in my monitoring console section and it is still not showing up on forwarder management section.

Any ideas on how to resolve this?

jacobpevans · ‎10-01-2019

Greetings @agarws8,

If the forwarder was not properly installed (like what would happen if a VM image was just placed on a new server), the instance.cfg file will be "wrong" (identical to a different server), and the values of the following will be wrong. Make sure they properly match the host (and then restart the forwarder)

$SPLUNK_HOME\etc\system\local\inputs.conf

[default]
host = [wrong host?]

$SPLUNK_HOME\etc\system\local\server.conf

[general]
serverName = [wrong host?]

Note that this could be on the server you think it is OR it could be on a different host.

If you have windows event monitoring set up, find a popular event code that displays the machine name and compare it to the host value looking for differences.

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

A single forwarder has multiple GUIDs Splunk v7

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!