I have a server which I no longer want included in my Splunk Search. The context for this is AWS where we are bringing up new servers and decommission existing servers in a blue/green deployment style. We would like to execute a script on the servers to be decommissioned so that they no longer participate in our Splunk configuration.
Here are the commands I use to add a server to our Splunk configuration:
Plus this process, you can blacklist the servers you want to remove on the deployment server accessing the server_class they were setup to. So you can guarantee if someone start the splunk service, splunk will not receive new data.