Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unanswered question about duplicate forwarders after upgrading

tylermonteith
Explorer
‎08-21-2024 03:27 AM

Here is an old post from 2019 that was unanswered.

https://community.splunk.com/t5/Deployment-Architecture/Remove-missing-duplicate-forwarders-from-for...

I am running into the same issue. Splunk Enterprise 9.2.2. Basically we had maybe 400+ machines with version 9.0.10. When upgrading to a newer splunkforwarder 9.2.2 under Forwarder Management there is duplicate instances of the computers. Pushing our Clients now to above 800. How can you remove the duplicates with going through each duplicate and clicking delete Record?

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PaulPanther
Motivator
‎08-21-2024 07:16 AM 
|inputlookup dmc_forwarder_assets.csv
| sort - last_connected hostname
|streamstats count by hostname
|search status=active OR (status=missing AND count=1)
|fields - count
| outputlookup dmc_forwarder_assets.csv

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PaulPanther
Motivator
‎08-21-2024 03:42 AM

You have two options:

 

1. Rebuild the Forwarder Asset table in the DMC

2. Create a custom search to identify duplicate hostnames and remove these entries of missing forwarder in the lookup file dmc_fowarder_assets.csv that is located in the splunk_monitoring_console app

 

0 Karma
Reply
Solved! Jump to solution

tylermonteith
Explorer
‎08-21-2024 05:06 AM

But can you give me a bit more on the Rebuild Forwarder Asset table in the DMC? And do you have maybe how that search would look? I have basically generally searched for specific users in the search and reporting field. So any more pointing in the direction would help. But in the interim, I will start looking into this as a solution and work towards it. Appreciate it

0 Karma
Reply
Solved! Jump to solution
Solution

PaulPanther
Motivator
‎08-21-2024 07:16 AM 
|inputlookup dmc_forwarder_assets.csv
| sort - last_connected hostname
|streamstats count by hostname
|search status=active OR (status=missing AND count=1)
|fields - count
| outputlookup dmc_forwarder_assets.csv
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...