Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are the recommended steps to unsubscribe the forwarder at the management & deploymentserver?

armin1967
Explorer
‎09-09-2022 03:02 AM

Hi community,
a few month ago I have overtaken our Splunk cluster from a colleague who quit his job.
Now I have the situation that we dismantle some application server which has an universal forwarder installed. What are the recommended steps to unsubscribe the forwarder at the Management- & Deploymentserver? Apps and serverclasses are not affected. These are still needed.
Thanks in advance for your support.

Armin

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-09-2022 03:13 AM

Hi @armin1967,

if you disable the Universal Forwarder on this server you don't have logs anymore.

If you have this server explicitly listed in a ServerClass, you have to manually delete if from the ServerClass by UI.

if in the ServerClass you have a general rule (e.g. all Windows 32bit servers), you don't need any action.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-09-2022 03:13 AM

Hi @armin1967,

if you disable the Universal Forwarder on this server you don't have logs anymore.

If you have this server explicitly listed in a ServerClass, you have to manually delete if from the ServerClass by UI.

if in the ServerClass you have a general rule (e.g. all Windows 32bit servers), you don't need any action.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

armin1967
Explorer
‎09-12-2022 12:36 AM

One additional hint.
After uninstalling/disabling the forwarder, you'll see after a little delay, that a forwarder is missing.
Have a look at "Settings -> Monitoring Console -> Forwarders -> Forwarders:Deployment"
To delete this record you have to "Rebuild forwarder assets ..." at "Monitoring Console -> Settings -> Forwarder Monitoring Setup".

0 Karma
Reply
Solved! Jump to solution

armin1967
Explorer
‎09-09-2022 03:45 AM

Hi @gcusello,

thanks for your fast reply.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-09-2022 03:47 AM

Hi @armin1967,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...