Hi community,
a few month ago I have overtaken our Splunk cluster from a colleague who quit his job.
Now I have the situation that we dismantle some application server which has an universal forwarder installed. What are the recommended steps to unsubscribe the forwarder at the Management- & Deploymentserver? Apps and serverclasses are not affected. These are still needed.
Thanks in advance for your support.
Armin
Hi @armin1967,
if you disable the Universal Forwarder on this server you don't have logs anymore.
If you have this server explicitly listed in a ServerClass, you have to manually delete if from the ServerClass by UI.
if in the ServerClass you have a general rule (e.g. all Windows 32bit servers), you don't need any action.
Ciao.
Giuseppe
Hi @armin1967,
if you disable the Universal Forwarder on this server you don't have logs anymore.
If you have this server explicitly listed in a ServerClass, you have to manually delete if from the ServerClass by UI.
if in the ServerClass you have a general rule (e.g. all Windows 32bit servers), you don't need any action.
Ciao.
Giuseppe
One additional hint.
After uninstalling/disabling the forwarder, you'll see after a little delay, that a forwarder is missing.
Have a look at "Settings -> Monitoring Console -> Forwarders -> Forwarders:Deployment"
To delete this record you have to "Rebuild forwarder assets ..." at "Monitoring Console -> Settings -> Forwarder Monitoring Setup".
Hi @gcusello,
thanks for your fast reply.
Hi @armin1967,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉