Having difficulties removing old, stale, servers that used to have splunk universal forwarder running. After you remove the forwarder service and delete the host from the index the forwarders still appear in the forwader monitoring section.
How can you remove the "missing" forwarders that are no longer active?
This is splunk light version so I don't have access to DMC (distributed management console) which all other articles i've seen about this issue pertain to.
The easy way is what @wmosher88 says and that is the supported way, however, you may find that this will change far more than you desire. If you really just need to remove one host, manually remove it using the
Lookup Editor pointed to the
dmc_forwarder_assets.csv lookup file inside of the
splunk_monitoring_console app or do this:
| inputlookup dmc_forwarder_assets.csv | search NOT hostname="HostNameToDeleteHere" | outputlookup dmc_forwarder_assets.csv
Sir, I have been a fan of yours for long. Thank u for all the knowledge sharing. I have " missing FWs in Splunk Ent or ES reported by MC that I can not clear any more via the "Rebuilt Forwarder assets" feature in MC. Any advice is appreciated in advance. Thank u
In the current version of the Cloud Monitoring Console App, under Settings, then Forwarder Monitoring Setup, use the "Rebuild forwarder assets ..." button to clear missing forwarders you don't want to see reported any more.
What are you looking at to see forwarder monitoring and the list of "missing" forwarders? I have only ever seen this through the monitoring console.
On newer versions of Splunk the "distributed management console" has been renamed to the "Monitoring Console", but its basically the same. You get to it through a big icon on the left of the settings drop-down, below "Add Data", not in the lists
Normally, I'd say you'll need to rebuild the forwarder asset table. See: