Monitoring Splunk

How does one clean up data from the Distributed Management Console?

OldManEd
Builder

Does anyone know how to clean out all data from the Distributed Management Console application? I've been testing with it and have duplicate forwarder entries and would like to start from scratch.

1 Solution

hexx
Splunk Employee
Splunk Employee

If you are looking to recreate the forwarder monitoring asset table from scratch, in the DMC navbar just go to Setup > Forwarder Monitoring and use the provided button to rebuild that table.

Otherwise if you are looking to entirely reset the DMC to factory defaults, there is a button to that end in the Setup > General Setup page.

View solution in original post

0 Karma

hexx
Splunk Employee
Splunk Employee

If you are looking to recreate the forwarder monitoring asset table from scratch, in the DMC navbar just go to Setup > Forwarder Monitoring and use the provided button to rebuild that table.

Otherwise if you are looking to entirely reset the DMC to factory defaults, there is a button to that end in the Setup > General Setup page.

0 Karma

OldManEd
Builder

Hexx,
I found the "Reset All Settings" button, tried it, but I'm still seeing old Forwarder information in the data. During my initial set-up, I reconfigured some Forwarders and ended up with 1 instance name but multiple GUIDs. I keep seeing the notice below;

Note: Multiple forwarders installed on one host appear with identical host names, but different GUIDs.

I would like to clean out all the old data and start fresh if at all possible.

0 Karma

hexx
Splunk Employee
Splunk Employee

I see! One issue here is that the data from which the forwarder asset table is constructed is already indexed in the internal index. The DMC will _not clean that up - you don't want that anyway.

I think that your main (and maybe only) option here is to identify those forwarders that have different GUIDs but identical values for server.conf / serverName and to correct that. In order to do that, you should manually search your tcpin_connection events like so:

index=_internal source=*/metrics.log* group=tcpin_connections (cooked OR cookedSSL) | stats dc(hostname) AS hostname_count values(hostname) AS hostnames values(host) values(sourceHost) AS source_hostnames by guid | where hostname_count > 1
0 Karma

OldManEd
Builder

Hexx,
I've already identified the Forwarder Hostnames that have the same GUID. There are 7 of them. 6 were clones of the first one. That issue was addressed by removing the;

“C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg” 

file and restarting the Forwarder service. A new file was created with a new GUID so that's all fine.

The issue I'm trying to address now is removing the old data from the "Distributed Management Console" application. But from what I understand from your last message, I can't do that. I'm just going to have to live with the results.

Oh well, thanks for your help.

0 Karma

ykou_splunk
Splunk Employee
Splunk Employee

OldManEd,
When you clicks the "rebuild forwarder assets table button", there will be a dialog popup, you could choose time range in that dialog, use this feature to exclude the _internal events that contain old GUID info. In another word, choose a time range that covers only the time period of new GUID.
This should solve your problem.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...