Deployment Architecture

A single forwarder has multiple GUIDs Splunk v7

New Member

On the forwarder management, I was missing a client (which is indexing data and showing in search as well)
That same client/forwarder appears under the monitoring console forwarders.

I followed the below link and deleted instance.cfg and then restarted my forwarder.

Now I have 4 forwarders of the same host (different guids) in my monitoring console section and it is still not showing up on forwarder management section.

Any ideas on how to resolve this?

Tags (2)
0 Karma


Greetings @agarws8,

If the forwarder was not properly installed (like what would happen if a VM image was just placed on a new server), the instance.cfg file will be "wrong" (identical to a different server), and the values of the following will be wrong. Make sure they properly match the host (and then restart the forwarder)


host = [wrong host?]


serverName = [wrong host?]

Note that this could be on the server you think it is OR it could be on a different host.

If you have windows event monitoring set up, find a popular event code that displays the machine name and compare it to the host value looking for differences.



If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...