Rebuild forwarder assets does not actually rebuild...

Omar · ‎07-15-2023

Hello Splunkers,

To remove the old decommissioned UFs and stop the annoying missing alert "DMC Alert - Missing forwarders" we need to Rebuild forwarder assets.

The issue is even after doing so, the table still contains old decommissioned UFs, How do we solve this?

gcusello · ‎07-16-2023

Hi @Omar ,

the build of the asset lookup is done running a search on _internal.

So, before running rebuilding, check the duration of the time period, maybe it's too large and there are still events from the decommisioned Forwarders, it's usually 24 hours.

Ciao.

Giuseppe

Omar · ‎07-16-2023

Hi Giuseppe,

Thanks for the replay. However, the issue is that it does not delete the old table,

Splunk says: "The Monitoring Console deletes the existing table and uses input metrics from indexers to create a new table."

I find many forwarders in the "dmc_forwarder_assets" lockup table which belongs to agents that last connected in the year 2022

gcusello · ‎07-16-2023

Hi @Omar,

as I said, check the time periodo used to rebuild the lookup.

If the issue is only to delete old forwarders, as a workaround, you could try to manually delete all the records in the lookup "dmc_forwarder_assets" opening it in Lookup Editor.

Ciao.

Giuseppe

Rebuild forwarder assets does not actually rebuild the assets table

forwarder management

monitoring console

proactive Splunk component monitoring

splunk-assist

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...