Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Deployment Server: Duplicate clients after reinstalling the UF

AliMaher
Path Finder
‎08-20-2025 06:17 AM

Hi 
I hope you are doing well.

 

I have reinstalled the UF after that i found there are duplicate clients on the Deployment server and the monitoring console.

Q: Is there any way that we can refresh/rebuild/delete the old entries in the deployment servers?

#universal forwarder

0 Karma
Reply

AliMaher
Path Finder
‎08-21-2025 12:45 AM

Thanks for your help!

but there is no immediate deletion for the old entries?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-28-2025 01:22 AM

At least earlier DS version "lost" old entries after you reboot it. Then those will be back when they have 1st connected into it. I'm not sure if this is still valid for current DS which are using index to store client information. I have never looked it with those versions.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-22-2025 05:40 AM

At least from MC you could remove those old "missed" nodes by rebuild forwarder database.

MC -> Settings -> Forwarder Monitoring Setup then Rebuild forwarder assets button.
You should remember that this clears all old missed nodes over your selected time span.

Usually there is no need to reinstall UF. It's better to update it on place.

Another issue which you find after remove + install again is, that UF will reindexing all files what it still have on disk. The reason for that is, when you remove old installation you also remove local fishbucket index where UF has bookkeeping what it has already indexed.

Reply

PrewinThomas
Motivator
‎08-20-2025 08:59 PM

@AliMaher 

Best practice is to preserve instance.cfg before reinstall. This keeps the GUID consistent and avoids duplicate entries on the Deployment Server and Monitoring Console.
If you wait a bit, the old entries will fade out on their own.
No manual deletion is required, entries are automatically cleaned up by Splunk after the clients stop phoning home for a period.

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...