Re: How far back can be go when rebuilding the for...

ddrillic · ‎10-15-2016

Based on the interface of the DMC, it appears that we can go back only 24 hours when rebuilding the forwarder assets. I just did it in our production environment and only one forwarder is reported as missing. I'm pretty sure though that other forwarders are down for more than 24 hours. What can be done?

Claw · ‎10-17-2016

Are you trying to collect the data from the missing forwarders or are you trying to add the forwarders to the Distributed Management Console.

This process deletes the sourcetype holding all of the existing forwarders and the process is usesually ONLY run oneself or so to clean up an environment where you have many forwarders missing and only want to see existing forwarders. Once you run this process, any forwarders that are no longer reporting are just gone and so is any data about them. This is not retrievable. The 24 hour question is asking how much back data for each forwarder do you want to collect. It cannot collect any data from forwarders that it no longer has any record of.

ddrillic · ‎10-17-2016

So, let's say a certain forwarder was down for 48 hours. Would it be included in the rebuilt list?

ddrillic · ‎10-23-2016

@Claw - any feedback on this one, by any chance?

ddrillic · ‎10-17-2016

Any thoughts about this one, by any chance?

How far back can be go when rebuilding the forwarders' assets?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio