Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How does one fix the multiple Forwarders with same GUID issue on Windows boxes?

OldManEd
Builder
‎10-23-2015 08:10 AM

Everyone,

Here is my situation. I set up one Windows box with a Universal Forwarder, V6.3. This one forwarder was to be the one that all the many other forwarders would be cloned from. An older version of a Forwarder was placed on these other Windows boxes when another group created a Windows image. This older version was never set up properly.

In an effort to clean things up, the process that was used to re-do the Forwarders was the following;

  1. Stop the Forwarder service on the Windows box
  2. Delete the “C:\Program Files\SplunkUniversalForwarder\” directory.
  3. Copy in the new, updated, directory, “C:\Program Files\SplunkUniversalForwarder\”.
  4. Restart the service

Everything looked OK but I'm using a separate server as a Deployment server and monitoring server. When I went to the Distributed Management Console under Forwarders>Instance I see the message below;

Note: Multiple forwarders installed on one host appear with identical host names, but different GUIDs.

When I went through all the devices listed, I only saw one entry for each hostname but I noticed that the GUIDs were all the same.

Does anyone know what's going on and how I can clean this up?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

OldManEd
Builder
‎10-23-2015 08:56 AM

To address this issue, delete the file below and then restart the Splunk Forwarder.

 “C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”

View solution in original post

Reply
Solved! Jump to solution
Solution

OldManEd
Builder
‎10-23-2015 08:56 AM

To address this issue, delete the file below and then restart the Splunk Forwarder.

 “C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”
Reply
Solved! Jump to solution

OldManEd
Builder
‎10-23-2015 08:28 AM

After further review, I found that the issue is with the following file;

“C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”

It contains the GUID entry. From what I read, I need to remove the "guid = " line and on the Forwarder restart, a new GUID should be generated.

My new question is, can I simply remove the entire file? The only thing in it is;

[general]
guid = <number>
0 Karma
Reply
Solved! Jump to solution

OldManEd
Builder
‎10-23-2015 08:54 AM

After testing, it appears that deleting the "instance.cfg" file completely works fine. A new file is generated with a new GUID.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...