Solved: Re: upgrade from universal forwarder 6.3.0 to 6.4....

ralphw_SAIC · ‎06-23-2016

i have upgraded all of our universal forwarders from 6.3.0 to 6.4.0 and roughly a third is showing as "missing" when looking at the forwarder version in the distributed management console. Is there any way to clean this up? I also notice a lot of servers that we have decommissioned showing up even after the log retention period of 90 days.

ralphw_SAIC · ‎03-30-2017

Found how to clean up the database. It is under Settings > Monitoring Console > Settings > Forwarder Monitoring Setup > Rebuild forwarder assets.

View solution in original post

ralphw_SAIC · ‎03-30-2017

Found how to clean up the database. It is under Settings > Monitoring Console > Settings > Forwarder Monitoring Setup > Rebuild forwarder assets.

ddrillic · ‎06-23-2016

Have you updated the serverclass.conf on the deployment server? After all, that's the only place where we map the forwarder's host to the deployment app.

Deployment server architecture

ralphw_SAIC · ‎06-24-2016

No, no updates have been made to serverclass.conf. For the most part this is a stock install of Splunk with only the config files necessary to run changed(i.e. inputs, outputs, and the like). I have double checked the file and there is no specific server listed. It is a generic setup based on IP subnets and machine type. So I do not understand why with the upgrade i have ghosts hanging around showing up as missing.

Issues with "missing" forwarder version after upgrade from universal forwarder 6.3.0 to 6.4.0?

universal forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?