Splunk Enterprise

Unanswered question about duplicate forwarders after upgrading

tylermonteith
Explorer

Here is an old post from 2019 that was unanswered.

https://community.splunk.com/t5/Deployment-Architecture/Remove-missing-duplicate-forwarders-from-for...

I am running into the same issue. Splunk Enterprise 9.2.2. Basically we had maybe 400+ machines with version 9.0.10. When upgrading to a newer splunkforwarder 9.2.2 under Forwarder Management there is duplicate instances of the computers. Pushing our Clients now to above 800. How can you remove the duplicates with going through each duplicate and clicking delete Record?

Thanks

Labels (1)
0 Karma
1 Solution

PaulPanther
Builder
|inputlookup dmc_forwarder_assets.csv
| sort - last_connected hostname
|streamstats count by hostname
|search status=active OR (status=missing AND count=1)
|fields - count
| outputlookup dmc_forwarder_assets.csv

View solution in original post

0 Karma

PaulPanther
Builder

You have two options:

 

1. Rebuild the Forwarder Asset table in the DMC

2. Create a custom search to identify duplicate hostnames and remove these entries of missing forwarder in the lookup file dmc_fowarder_assets.csv that is located in the splunk_monitoring_console app

 

0 Karma

tylermonteith
Explorer

But can you give me a bit more on the Rebuild Forwarder Asset table in the DMC? And do you have maybe how that search would look? I have basically generally searched for specific users in the search and reporting field. So any more pointing in the direction would help. But in the interim, I will start looking into this as a solution and work towards it. Appreciate it

0 Karma

PaulPanther
Builder
|inputlookup dmc_forwarder_assets.csv
| sort - last_connected hostname
|streamstats count by hostname
|search status=active OR (status=missing AND count=1)
|fields - count
| outputlookup dmc_forwarder_assets.csv
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...