We started using Splunk deployment server after some Windows servers already had the universal forwarder installed. However, it seems some servers were installed without the Splunk UniversalForwarder being configured correctly. Currently the $decideOnStartup "host" is reporting performance metrics, but I don't see any applog, seclog, or syslog data. I know that doesn't mean the server isn't reporting any data for the logs, I just don't have any data since the Splunk history was truncated to 35 days ago.
Is there an easy way to determine what server has the messed up configuration?
At the moment, I think I will be comparing the "All Forwarers" report from the Deployment Monitor Application and
... View more