Monitoring Splunk

How does one clean up data from the Distributed Management Console?

OldManEd
Builder

Does anyone know how to clean out all data from the Distributed Management Console application? I've been testing with it and have duplicate forwarder entries and would like to start from scratch.

1 Solution

hexx
Splunk Employee
Splunk Employee

If you are looking to recreate the forwarder monitoring asset table from scratch, in the DMC navbar just go to Setup > Forwarder Monitoring and use the provided button to rebuild that table.

Otherwise if you are looking to entirely reset the DMC to factory defaults, there is a button to that end in the Setup > General Setup page.

View solution in original post

0 Karma

hexx
Splunk Employee
Splunk Employee

If you are looking to recreate the forwarder monitoring asset table from scratch, in the DMC navbar just go to Setup > Forwarder Monitoring and use the provided button to rebuild that table.

Otherwise if you are looking to entirely reset the DMC to factory defaults, there is a button to that end in the Setup > General Setup page.

0 Karma

OldManEd
Builder

Hexx,
I found the "Reset All Settings" button, tried it, but I'm still seeing old Forwarder information in the data. During my initial set-up, I reconfigured some Forwarders and ended up with 1 instance name but multiple GUIDs. I keep seeing the notice below;

Note: Multiple forwarders installed on one host appear with identical host names, but different GUIDs.

I would like to clean out all the old data and start fresh if at all possible.

0 Karma

hexx
Splunk Employee
Splunk Employee

I see! One issue here is that the data from which the forwarder asset table is constructed is already indexed in the internal index. The DMC will _not clean that up - you don't want that anyway.

I think that your main (and maybe only) option here is to identify those forwarders that have different GUIDs but identical values for server.conf / serverName and to correct that. In order to do that, you should manually search your tcpin_connection events like so:

index=_internal source=*/metrics.log* group=tcpin_connections (cooked OR cookedSSL) | stats dc(hostname) AS hostname_count values(hostname) AS hostnames values(host) values(sourceHost) AS source_hostnames by guid | where hostname_count > 1
0 Karma

OldManEd
Builder

Hexx,
I've already identified the Forwarder Hostnames that have the same GUID. There are 7 of them. 6 were clones of the first one. That issue was addressed by removing the;

“C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg” 

file and restarting the Forwarder service. A new file was created with a new GUID so that's all fine.

The issue I'm trying to address now is removing the old data from the "Distributed Management Console" application. But from what I understand from your last message, I can't do that. I'm just going to have to live with the results.

Oh well, thanks for your help.

0 Karma

ykou_splunk
Splunk Employee
Splunk Employee

OldManEd,
When you clicks the "rebuild forwarder assets table button", there will be a dialog popup, you could choose time range in that dialog, use this feature to exclude the _internal events that contain old GUID info. In another word, choose a time range that covers only the time period of new GUID.
This should solve your problem.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...