Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Deployment Server: Duplicate clients after reinstalling the UF

AliMaher
Path Finder
‎08-20-2025 06:17 AM

Hi 
I hope you are doing well.

 

I have reinstalled the UF after that i found there are duplicate clients on the Deployment server and the monitoring console.

Q: Is there any way that we can refresh/rebuild/delete the old entries in the deployment servers?

#universal forwarder

0 Karma
Reply

AliMaher
Path Finder
‎08-21-2025 12:45 AM

Thanks for your help!

but there is no immediate deletion for the old entries?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-28-2025 01:22 AM

At least earlier DS version "lost" old entries after you reboot it. Then those will be back when they have 1st connected into it. I'm not sure if this is still valid for current DS which are using index to store client information. I have never looked it with those versions.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-22-2025 05:40 AM

At least from MC you could remove those old "missed" nodes by rebuild forwarder database.

MC -> Settings -> Forwarder Monitoring Setup then Rebuild forwarder assets button.
You should remember that this clears all old missed nodes over your selected time span.

Usually there is no need to reinstall UF. It's better to update it on place.

Another issue which you find after remove + install again is, that UF will reindexing all files what it still have on disk. The reason for that is, when you remove old installation you also remove local fishbucket index where UF has bookkeeping what it has already indexed.

Reply

PrewinThomas
Motivator
‎08-20-2025 08:59 PM

@AliMaher 

Best practice is to preserve instance.cfg before reinstall. This keeps the GUID consistent and avoids duplicate entries on the Deployment Server and Monitoring Console.
If you wait a bit, the old entries will fade out on their own.
No manual deletion is required, entries are automatically cleaned up by Splunk after the clients stop phoning home for a period.

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...