I setup notifications within the Deployment Monitor to alert me when there are "missing forwarders". How do I remove forwarders that no longer exist, ie the server has been decommissioned? According to http://www.splunk.com/base/Documentation/latest/Deploy/Drillfordetails I should be able to "click the button Clear old forwarders" on the (I assume) All Forwarders page. However that button doesn't exist in my installation. I'm running 4.2.
Hi Splunkers,
if you have removed or you have uninstalled existing forwarder instances you can remove them from the "missing forwarders" list in the DMC / MC using the "Rebuild Forwarder Assets" button.
To remove all their data you can use the |delete command or you can clean the entire index like described in the documentation.
My situation is I have installed Splunk Forwarder on some of the development servers at the begining. Now i have uninstall the forwarder becasue of the license limitation. How can I remove all the information, including the index for those non-existing forwarders on the splunk server. They are all windows servers.
Thanks!
Joy
If a forwarder is in "quiet" status, that means it's not sending data, but it is still sending a heartbeat to its receiving indexer. So that forwarder does exist in your deployment.
If you want to get rid of a forwarder entirely, you'll need to uninstall it from whatever box it's on. The deployment monitor app only monitors; you can't use it to make changes to your deployment.
There are a number of reasons why a missing forwarder could change to a quiet forwarder. For example, perhaps there was a network interruption, or maybe the machine the forwarder resides on went down but has now restarted.
In case my previous answer confused you by talking about "automatic removal", let me clarify. I meant that, if the forwarder has gone missing, its listing will (eventually) get automatically removed from the monitor app. The forwarder itself doesn't get automatically uninstalled.
Is this automatic removal in 4.2.1? Because we just deployed 4.2 and at first we had a missing legacy forwarder and now it is still there but 'current status' says quiet. We can't get rid of it.
The deployment monitor app will now automatically remove any missing forwarders within a 24-hour period after they go missing. Users no longer need to clear the old forwarders themselves.
This is due to a fairly recent optimization in the underlying behavior of the app. Since old forwarders now get automatically cleared, there's no longer a need for that button and so it got removed from the UI. In about one minute, the button will be leaving the documentation as well. Thanks for catching this!
In Splunk 6.5, this isn't enabled (at least not by default). As btiggemann posted, you need to use the "Rebuild Forwarder Assets" button: http://docs.splunk.com/Documentation/Splunk/6.5.0/DMC/Configureforwardermonitoring#Rebuild_the_forwa...
Is there any way to disable this automatic behavior and go back to a manual one? For example, if a system in my production environment stops forwarding, I want to know vs. Splunk quietly moving on.