Splunk Enterprise

How to remove "Missing" forwarder from Forwarder Monitoring on Splunk Light 6.5 (Not DMC)?

dhrechkosy
Explorer

Having difficulties removing old, stale, servers that used to have splunk universal forwarder running. After you remove the forwarder service and delete the host from the index the forwarders still appear in the forwader monitoring section.

How can you remove the "missing" forwarders that are no longer active?

This is splunk light version so I don't have access to DMC (distributed management console) which all other articles i've seen about this issue pertain to.

Labels (1)
0 Karma

woodcock
Esteemed Legend

The easy way is what @wmosher88 says and that is the supported way, however, you may find that this will change far more than you desire. If you really just need to remove one host, manually remove it using the Lookup Editor pointed to the dmc_forwarder_assets.csv lookup file inside of the splunk_monitoring_console app or do this:

| inputlookup dmc_forwarder_assets.csv
| search NOT hostname="HostNameToDeleteHere"
| outputlookup dmc_forwarder_assets.csv

SamHTexas
Builder

Sir, I have been a fan of yours for long. Thank u for all the knowledge sharing. I have " missing FWs in Splunk Ent or ES reported by MC that I can not clear any more via the "Rebuilt Forwarder assets" feature in MC. Any advice is appreciated in advance. Thank u

Tags (1)
0 Karma

dlozen
Engager

This worked for me and was a little less worrisome than clearing out all of our forwarders. Thanks!

0 Karma

wmosher88
Engager

In the current version of the Cloud Monitoring Console App, under Settings, then Forwarder Monitoring Setup, use the "Rebuild forwarder assets ..." button to clear missing forwarders you don't want to see reported any more.

avery2007
Explorer

Can confirm that this works for 7.3.4 for any other users on the same version.

0 Karma

aosso
Path Finder

Hi, did you try disabling forwarder monitoring and then enabling it again?

That removed missing forwarders from the monitoring console for me.

templets
Path Finder

What are you looking at to see forwarder monitoring and the list of "missing" forwarders? I have only ever seen this through the monitoring console.

On newer versions of Splunk the "distributed management console" has been renamed to the "Monitoring Console", but its basically the same. You get to it through a big icon on the left of the settings drop-down, below "Add Data", not in the lists

Normally, I'd say you'll need to rebuild the forwarder asset table. See:
http://docs.splunk.com/Documentation/Splunk/6.5.4/DMC/Configureforwardermonitoring

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!