What is a missing forwarder?
A missing forwarder is a forwarder that does not check in for a certain amount of time. Atlas analyzes the environment every hour to check for forwarders & compares it to a running list of known forwarders. If a known Splunk forwarder doesn’t appear in this 15 minute chunk, then it is reported as a missing forwarder.
How to update the Known Forwarder’s list
Every hour the ‘Atlas Missing Forwarders Alert and Known Forwarder List’ Scheduled Search runs. This search investigates the current environment and identifies missing forwarders, automatically updating the Known Forwarder’s List.
If a user would want to manually update this list, they will need to hit the “Update Known Forwarders” button on the Forwarder Group Overview. This search may take time to update in larger environments.
