Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to remove "Missing" forwarder from Forwarder Monitoring on Splunk Light 6.5 (Not DMC)?

dhrechkosy
Explorer
‎02-09-2017 12:48 PM

Having difficulties removing old, stale, servers that used to have splunk universal forwarder running. After you remove the forwarder service and delete the host from the index the forwarders still appear in the forwader monitoring section.

How can you remove the "missing" forwarders that are no longer active?

This is splunk light version so I don't have access to DMC (distributed management console) which all other articles i've seen about this issue pertain to.

0 Karma
Reply

woodcock
Esteemed Legend
‎12-03-2019 07:33 AM

The easy way is what @wmosher88 says and that is the supported way, however, you may find that this will change far more than you desire. If you really just need to remove one host, manually remove it using the Lookup Editor pointed to the dmc_forwarder_assets.csv lookup file inside of the splunk_monitoring_console app or do this:

| inputlookup dmc_forwarder_assets.csv
| search NOT hostname="HostNameToDeleteHere"
| outputlookup dmc_forwarder_assets.csv
Reply

SamHTexas
Builder
‎09-09-2021 08:42 AM

Sir, I have been a fan of yours for long. Thank u for all the knowledge sharing. I have " missing FWs in Splunk Ent or ES reported by MC that I can not clear any more via the "Rebuilt Forwarder assets" feature in MC. Any advice is appreciated in advance. Thank u

Tags (1)
0 Karma
Reply

dlozen
Engager
‎07-06-2021 01:06 PM

This worked for me and was a little less worrisome than clearing out all of our forwarders. Thanks!

0 Karma
Reply

wmosher88
Engager
‎12-03-2019 06:35 AM

In the current version of the Cloud Monitoring Console App, under Settings, then Forwarder Monitoring Setup, use the "Rebuild forwarder assets ..." button to clear missing forwarders you don't want to see reported any more.

Reply

avery2007
Explorer
‎03-17-2020 09:05 AM

Can confirm that this works for 7.3.4 for any other users on the same version.

0 Karma
Reply

aosso
Path Finder
‎08-21-2017 07:25 AM

Hi, did you try disabling forwarder monitoring and then enabling it again?

That removed missing forwarders from the monitoring console for me.

Reply

templets
Path Finder
‎07-05-2017 01:31 PM

What are you looking at to see forwarder monitoring and the list of "missing" forwarders? I have only ever seen this through the monitoring console.

On newer versions of Splunk the "distributed management console" has been renamed to the "Monitoring Console", but its basically the same. You get to it through a big icon on the left of the settings drop-down, below "Add Data", not in the lists

Normally, I'd say you'll need to rebuild the forwarder asset table. See:
http://docs.splunk.com/Documentation/Splunk/6.5.4/DMC/Configureforwardermonitoring

0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...