Getting Data In

How far back can be go when rebuilding the forwarders' assets?

ddrillic
Ultra Champion

Based on the interface of the DMC, it appears that we can go back only 24 hours when rebuilding the forwarder assets. I just did it in our production environment and only one forwarder is reported as missing. I'm pretty sure though that other forwarders are down for more than 24 hours. What can be done?

alt text

Tags (2)
0 Karma

Claw
Splunk Employee
Splunk Employee

Are you trying to collect the data from the missing forwarders or are you trying to add the forwarders to the Distributed Management Console.

This process deletes the sourcetype holding all of the existing forwarders and the process is usesually ONLY run oneself or so to clean up an environment where you have many forwarders missing and only want to see existing forwarders. Once you run this process, any forwarders that are no longer reporting are just gone and so is any data about them. This is not retrievable. The 24 hour question is asking how much back data for each forwarder do you want to collect. It cannot collect any data from forwarders that it no longer has any record of.

0 Karma

ddrillic
Ultra Champion

So, let's say a certain forwarder was down for 48 hours. Would it be included in the rebuilt list?

0 Karma

ddrillic
Ultra Champion

@Claw - any feedback on this one, by any chance?

0 Karma

ddrillic
Ultra Champion

Any thoughts about this one, by any chance?

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...