Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How does one fix the multiple Forwarders with ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Everyone,
Here is my situation. I set up one Windows box with a Universal Forwarder, V6.3. This one forwarder was to be the one that all the many other forwarders would be cloned from. An older version of a Forwarder was placed on these other Windows boxes when another group created a Windows image. This older version was never set up properly.
In an effort to clean things up, the process that was used to re-do the Forwarders was the following;
- Stop the Forwarder service on the Windows box
- Delete the “C:\Program Files\SplunkUniversalForwarder\” directory.
- Copy in the new, updated, directory, “C:\Program Files\SplunkUniversalForwarder\”.
- Restart the service
Everything looked OK but I'm using a separate server as a Deployment server and monitoring server. When I went to the Distributed Management Console under Forwarders>Instance I see the message below;
Note: Multiple forwarders installed on one host appear with identical host names, but different GUIDs.
When I went through all the devices listed, I only saw one entry for each hostname but I noticed that the GUIDs were all the same.
Does anyone know what's going on and how I can clean this up?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To address this issue, delete the file below and then restart the Splunk Forwarder.
“C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To address this issue, delete the file below and then restart the Splunk Forwarder.
“C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After further review, I found that the issue is with the following file;
“C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”
It contains the GUID entry. From what I read, I need to remove the "guid = " line and on the Forwarder restart, a new GUID should be generated.
My new question is, can I simply remove the entire file? The only thing in it is;
[general]
guid = <number>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After testing, it appears that deleting the "instance.cfg" file completely works fine. A new file is generated with a new GUID.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
