i have upgraded all of our universal forwarders from 6.3.0 to 6.4.0 and roughly a third is showing as "missing" when looking at the forwarder version in the distributed management console. Is there any way to clean this up? I also notice a lot of servers that we have decommissioned showing up even after the log retention period of 90 days.
Found how to clean up the database. It is under Settings > Monitoring Console > Settings > Forwarder Monitoring Setup > Rebuild forwarder assets.
Found how to clean up the database. It is under Settings > Monitoring Console > Settings > Forwarder Monitoring Setup > Rebuild forwarder assets.
Have you updated the serverclass.conf
on the deployment server? After all, that's the only place where we map the forwarder's host to the deployment app.
No, no updates have been made to serverclass.conf. For the most part this is a stock install of Splunk with only the config files necessary to run changed(i.e. inputs, outputs, and the like). I have double checked the file and there is no specific server listed. It is a generic setup based on IP subnets and machine type. So I do not understand why with the upgrade i have ghosts hanging around showing up as missing.