Splunk Enterprise

Unanswered question about duplicate forwarders after upgrading

tylermonteith
Explorer

Here is an old post from 2019 that was unanswered.

https://community.splunk.com/t5/Deployment-Architecture/Remove-missing-duplicate-forwarders-from-for...

I am running into the same issue. Splunk Enterprise 9.2.2. Basically we had maybe 400+ machines with version 9.0.10. When upgrading to a newer splunkforwarder 9.2.2 under Forwarder Management there is duplicate instances of the computers. Pushing our Clients now to above 800. How can you remove the duplicates with going through each duplicate and clicking delete Record?

Thanks

Labels (1)
0 Karma
1 Solution

PaulPanther
Motivator
|inputlookup dmc_forwarder_assets.csv
| sort - last_connected hostname
|streamstats count by hostname
|search status=active OR (status=missing AND count=1)
|fields - count
| outputlookup dmc_forwarder_assets.csv

View solution in original post

0 Karma

PaulPanther
Motivator

You have two options:

 

1. Rebuild the Forwarder Asset table in the DMC

2. Create a custom search to identify duplicate hostnames and remove these entries of missing forwarder in the lookup file dmc_fowarder_assets.csv that is located in the splunk_monitoring_console app

 

0 Karma

tylermonteith
Explorer

But can you give me a bit more on the Rebuild Forwarder Asset table in the DMC? And do you have maybe how that search would look? I have basically generally searched for specific users in the search and reporting field. So any more pointing in the direction would help. But in the interim, I will start looking into this as a solution and work towards it. Appreciate it

0 Karma

PaulPanther
Motivator
|inputlookup dmc_forwarder_assets.csv
| sort - last_connected hostname
|streamstats count by hostname
|search status=active OR (status=missing AND count=1)
|fields - count
| outputlookup dmc_forwarder_assets.csv
0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...