Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cloud Monitoring Console - Rebuild forwarder assets

Tiny_Trex
Engager
‎01-30-2024 02:46 PM

When going to CMC -> Forwarders -> Forwarders: deployment, I see that we have 19k+ forwarders, which is completely inaccurate. We have more like 900. It shows 18k+ as missing, and the list has instances decommissioned years ago. 

I thought I could fix this by telling it to rebuild the forwarder assets via the button under VMC -> Forwarders -> Forwarder monitor setup, but when I click on this, it processes for about a minute, and then nothing changes.

The description makes me think it is supposed to clear out the sim_forwarder_assets.csv lookup and rebuild it using only data it sees within the time frame I selected (24 hours). If I open up the lookup, all the entries it had previously are still there. 

Am I misunderstanding how this works, or is something broken?

Labels (2)
0 Karma
Reply

bwheel
Engager
‎08-22-2024 07:03 AM

There are 2 options. 1 is the regular 'update' which you have selected, and then an additional 'rebuild forwarder assets' button that will do a complete rebuild.

They both use saved searches, one is the update which is activated when you select 'Enable', and the other you can setup for a regular rebuild to clear out the older forwarders if you wish. Especially useful when you have AWS or similar that regularly redeploys environments.

Some more detail available at:
Use the Forwarder dashboards - Splunk Documentation

0 Karma
Reply

Tiny_Trex
Engager
‎08-22-2024 11:50 AM

Hey, thanks for taking the time to reply, bwheel, but I think you might have misread my post. I stated that I was clicking the "Rebuild forwarder Assets..." button. I'm not sure what you're referring to with the "regular 'update'" you mention. I also couldn't find any mention of an "update" option in the document you linked. Maybe I'm misunderstanding what you're saying, but either way please don't spend any further time on it.

I opened a support case about the fact it didn't work, and they said it was a bug and provided me with a search to update the lookup table manually. I think they might have fixed it at this point. I seem to recall using it not too long ago.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...