Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unanswered question about duplicate forwarders after upgrading

tylermonteith
Explorer
‎08-21-2024 03:27 AM

Here is an old post from 2019 that was unanswered.

https://community.splunk.com/t5/Deployment-Architecture/Remove-missing-duplicate-forwarders-from-for...

I am running into the same issue. Splunk Enterprise 9.2.2. Basically we had maybe 400+ machines with version 9.0.10. When upgrading to a newer splunkforwarder 9.2.2 under Forwarder Management there is duplicate instances of the computers. Pushing our Clients now to above 800. How can you remove the duplicates with going through each duplicate and clicking delete Record?

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PaulPanther
Motivator
‎08-21-2024 07:16 AM 
|inputlookup dmc_forwarder_assets.csv
| sort - last_connected hostname
|streamstats count by hostname
|search status=active OR (status=missing AND count=1)
|fields - count
| outputlookup dmc_forwarder_assets.csv

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PaulPanther
Motivator
‎08-21-2024 03:42 AM

You have two options:

 

1. Rebuild the Forwarder Asset table in the DMC

2. Create a custom search to identify duplicate hostnames and remove these entries of missing forwarder in the lookup file dmc_fowarder_assets.csv that is located in the splunk_monitoring_console app

 

0 Karma
Reply
Solved! Jump to solution

tylermonteith
Explorer
‎08-21-2024 05:06 AM

But can you give me a bit more on the Rebuild Forwarder Asset table in the DMC? And do you have maybe how that search would look? I have basically generally searched for specific users in the search and reporting field. So any more pointing in the direction would help. But in the interim, I will start looking into this as a solution and work towards it. Appreciate it

0 Karma
Reply
Solved! Jump to solution
Solution

PaulPanther
Motivator
‎08-21-2024 07:16 AM 
|inputlookup dmc_forwarder_assets.csv
| sort - last_connected hostname
|streamstats count by hostname
|search status=active OR (status=missing AND count=1)
|fields - count
| outputlookup dmc_forwarder_assets.csv
0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...