Splunk Enterprise

How to remove "Missing" forwarder from Forwarder Monitoring on Splunk Light 6.5 (Not DMC)?


Having difficulties removing old, stale, servers that used to have splunk universal forwarder running. After you remove the forwarder service and delete the host from the index the forwarders still appear in the forwader monitoring section.

How can you remove the "missing" forwarders that are no longer active?

This is splunk light version so I don't have access to DMC (distributed management console) which all other articles i've seen about this issue pertain to.

Labels (1)
0 Karma

Esteemed Legend

The easy way is what @wmosher88 says and that is the supported way, however, you may find that this will change far more than you desire. If you really just need to remove one host, manually remove it using the Lookup Editor pointed to the dmc_forwarder_assets.csv lookup file inside of the splunk_monitoring_console app or do this:

| inputlookup dmc_forwarder_assets.csv
| search NOT hostname="HostNameToDeleteHere"
| outputlookup dmc_forwarder_assets.csv


Sir, I have been a fan of yours for long. Thank u for all the knowledge sharing. I have " missing FWs in Splunk Ent or ES reported by MC that I can not clear any more via the "Rebuilt Forwarder assets" feature in MC. Any advice is appreciated in advance. Thank u

Tags (1)
0 Karma


This worked for me and was a little less worrisome than clearing out all of our forwarders. Thanks!

0 Karma


In the current version of the Cloud Monitoring Console App, under Settings, then Forwarder Monitoring Setup, use the "Rebuild forwarder assets ..." button to clear missing forwarders you don't want to see reported any more.


Can confirm that this works for 7.3.4 for any other users on the same version.

0 Karma

Path Finder

Hi, did you try disabling forwarder monitoring and then enabling it again?

That removed missing forwarders from the monitoring console for me.

Path Finder

What are you looking at to see forwarder monitoring and the list of "missing" forwarders? I have only ever seen this through the monitoring console.

On newer versions of Splunk the "distributed management console" has been renamed to the "Monitoring Console", but its basically the same. You get to it through a big icon on the left of the settings drop-down, below "Add Data", not in the lists

Normally, I'd say you'll need to rebuild the forwarder asset table. See:

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...