Why am I seeing decommissioned instances (i.e. search peers, forwarders) in the S.o.S. pulldowns and deployment topology view?
How this file $SPLUNK_HOME/etc/apps/sos/lookups/splunk_forwarders_cache.csv gets populated.
I see some incorrect hosts in that file
Can i delete the file and regenerate it.
How to regenerate this file ???
The S.o.S app maintains its asset tables in lookups files:
$SPLUNK_HOME/etc/apps/sos/lookups/splunk_servers_cache.csv
$SPLUNK_HOME/etc/apps/sos/lookups/splunk_forwarders_cache.csv
To find out more about these lookup tables, I recommend to read the in-view help (accessible using the "Learn More" button) for the Deployment Topology view as well as the $SPLUNK_HOME/etc/apps/sos/lookups/splunk_servers_cache.csv.spec
file.
Note that this maintenance of the lookup table only involves adding or updating records - S.o.S will not automatically remove entries of hosts that are no longer reachable.
If you decommissioned search peers, you'll need to edit the $SPLUNK_HOME/etc/apps/sos/lookups/splunk_servers_cache.csv
lookup file to manually remove the entries corresponding to those instances.