Splunk Cloud Platform

How to remove a host from Splunk Cloud, but not its historical data?

sbutkowskiR1
Explorer

Greetings all.

I'm relatively new to Splunk and did not see an answer for this particular issue in the KB. Any help is appreciated.

I have alerts turned on for missing forwarders and am being notified every 15 minutes that one is missing. After a small amount of investigation, I found that this Windows host has been permanently powered down. I would like to remove this host, not only from alerting, but from Splunk Cloud all together.

I DO need to keep its historical data as we are in the Financial Tech industry and our retention policies are auditable. Does anyone know how to remove said host, but keep a record that it was there before removing it?

Thank you very much. If there is any more information necessary, I would be happy to provide it.

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If we're talking about the Cloud Monitoring Console then refreshing the forwarder list has no effect on the historical data.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

woodcock
Esteemed Legend

Yes.  It depends on what search is generating the alert.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If we're talking about the Cloud Monitoring Console then refreshing the forwarder list has no effect on the historical data.

---
If this reply helps you, Karma would be appreciated.

sbutkowskiR1
Explorer

Thank you so much. Funny story. We had a call scheduled with our Splunk migration architect not long after I posted this and this was EXACTLY the fix we implemented. The only additional step was that I logged into the Heavy Forwarder's GUI and was able to delete the record for the host from Settings> Forwarder Management, then proceeded to rebuild the Forwarder List.  Worked like a charm! 🙂

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...