Getting Data In

How does one fix the multiple Forwarders with same GUID issue on Windows boxes?

OldManEd
Builder

Everyone,

Here is my situation. I set up one Windows box with a Universal Forwarder, V6.3. This one forwarder was to be the one that all the many other forwarders would be cloned from. An older version of a Forwarder was placed on these other Windows boxes when another group created a Windows image. This older version was never set up properly.

In an effort to clean things up, the process that was used to re-do the Forwarders was the following;

  1. Stop the Forwarder service on the Windows box
  2. Delete the “C:\Program Files\SplunkUniversalForwarder\” directory.
  3. Copy in the new, updated, directory, “C:\Program Files\SplunkUniversalForwarder\”.
  4. Restart the service

Everything looked OK but I'm using a separate server as a Deployment server and monitoring server. When I went to the Distributed Management Console under Forwarders>Instance I see the message below;

Note: Multiple forwarders installed on one host appear with identical host names, but different GUIDs.

When I went through all the devices listed, I only saw one entry for each hostname but I noticed that the GUIDs were all the same.

Does anyone know what's going on and how I can clean this up?

Tags (2)
0 Karma
1 Solution

OldManEd
Builder

To address this issue, delete the file below and then restart the Splunk Forwarder.

 “C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”  

View solution in original post

OldManEd
Builder

To address this issue, delete the file below and then restart the Splunk Forwarder.

 “C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”  

OldManEd
Builder

After further review, I found that the issue is with the following file;

“C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg”  

It contains the GUID entry. From what I read, I need to remove the "guid = " line and on the Forwarder restart, a new GUID should be generated.

My new question is, can I simply remove the entire file? The only thing in it is;

[general]
guid = <number>
0 Karma

OldManEd
Builder

After testing, it appears that deleting the "instance.cfg" file completely works fine. A new file is generated with a new GUID.

0 Karma
Get Updates on the Splunk Community!

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...