How to remove a linux server from SplunkLight sear...

danieljoleary · ‎10-18-2019

Hello,

I have a server which I no longer want included in my Splunk Search. The context for this is AWS where we are bringing up new servers and decommission existing servers in a blue/green deployment style. We would like to execute a script on the servers to be decommissioned so that they no longer participate in our Splunk configuration.

Here are the commands I use to add a server to our Splunk configuration:

/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt
/opt/splunkforwarder/bin/splunk install app packages/splunkclouduf.spl -auth admin:$SPLUNK_PASSWORD
/opt/splunkforwarder/bin/splunk set deploy-poll input-prd-p-qhc9rkr77cz2.cloud.splunk.com:8089
/opt/splunkforwarder/bin/splunk restart
/opt/splunkforwarder/bin/splunk enable boot-start

What are the commands to remove the server from our Splunk configuration?

Is it as simple as:
/opt/splunkforwarder/bin/splunk stop

ivanreis · ‎10-20-2019

If you want to remove splunk agent from your server
1 - If you configured the universal forwarder to start on boot, remove it from your boot scripts before you uninstall.
./splunk disable boot-start

2 - Stop the forwarder
/splunk stop

check this document for further information
https://docs.splunk.com/Documentation/Forwarder/7.3.2/Forwarder/Uninstalltheuniversalforwarder#Prere...

Plus this process, you can blacklist the servers you want to remove on the deployment server accessing the server_class they were setup to. So you can guarantee if someone start the splunk service, splunk will not receive new data.

How to remove a linux server from SplunkLight search

configuration

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...