Everyone,
Here is my situation. I set up one Windows box with a Universal Forwarder, V6.3. This one forwarder was to be the one that all the many other forwarders would be cloned from. An older version of a Forwarder was placed on these other Windows boxes when another group created a Windows image. This older version was never set up properly.
In an effort to clean things up, the process that was used to re-do the Forwarders was the following;
Everything looked OK but I'm using a separate server as a Deployment server and monitoring server. When I went to the Distributed Management Console under Forwarders>Instance I see the message below;
Note: Multiple forwarders installed on one host appear with identical host names, but different GUIDs.
When I went through all the devices listed, I only saw one entry for each hostname but I noticed that the GUIDs were all the same.
Does anyone know what's going on and how I can clean this up?
To address this issue, delete the file below and then restart the Splunk Forwarder.
“C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”
To address this issue, delete the file below and then restart the Splunk Forwarder.
“C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”
After further review, I found that the issue is with the following file;
“C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”
It contains the GUID entry. From what I read, I need to remove the "guid = " line and on the Forwarder restart, a new GUID should be generated.
My new question is, can I simply remove the entire file? The only thing in it is;
[general]
guid = <number>
After testing, it appears that deleting the "instance.cfg" file completely works fine. A new file is generated with a new GUID.