Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How does one fix the multiple Forwarders with same...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OldManEd
Builder
10-23-2015
08:10 AM
Everyone,
Here is my situation. I set up one Windows box with a Universal Forwarder, V6.3. This one forwarder was to be the one that all the many other forwarders would be cloned from. An older version of a Forwarder was placed on these other Windows boxes when another group created a Windows image. This older version was never set up properly.
In an effort to clean things up, the process that was used to re-do the Forwarders was the following;
- Stop the Forwarder service on the Windows box
- Delete the “C:\Program Files\SplunkUniversalForwarder\” directory.
- Copy in the new, updated, directory, “C:\Program Files\SplunkUniversalForwarder\”.
- Restart the service
Everything looked OK but I'm using a separate server as a Deployment server and monitoring server. When I went to the Distributed Management Console under Forwarders>Instance I see the message below;
Note: Multiple forwarders installed on one host appear with identical host names, but different GUIDs.
When I went through all the devices listed, I only saw one entry for each hostname but I noticed that the GUIDs were all the same.
Does anyone know what's going on and how I can clean this up?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OldManEd
Builder
10-23-2015
08:56 AM
To address this issue, delete the file below and then restart the Splunk Forwarder.
“C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OldManEd
Builder
10-23-2015
08:56 AM
To address this issue, delete the file below and then restart the Splunk Forwarder.
“C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OldManEd
Builder
10-23-2015
08:28 AM
After further review, I found that the issue is with the following file;
“C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”
It contains the GUID entry. From what I read, I need to remove the "guid = " line and on the Forwarder restart, a new GUID should be generated.
My new question is, can I simply remove the entire file? The only thing in it is;
[general]
guid = <number>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OldManEd
Builder
10-23-2015
08:54 AM
After testing, it appears that deleting the "instance.cfg" file completely works fine. A new file is generated with a new GUID.
Get Updates on the Splunk Community!
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
