disable splunk stream

iherb_0718 · ‎02-15-2021

Anyone have the directions handy to disable splunk stream on a particular server? Is it done via the splunk stream app?

I want to disable it in a way that the service will not start up when the server reboots.

scelikok · ‎02-17-2021

This is default group that catches forwarders if no other group matches.

You should create a new group and move your stream setups to new one. Setup match forwarders regex to match only your server that you want. This will be your active configuration point.

Default group should not contain any stream. Your unwanted server will be seen under this default group and does not listen any stream.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok · ‎02-17-2021

Hi @iherb_0718,

You can remove that particular server from Forwarder groups on Splunk Stream App | Distributed Forwarder Management.

Streamfwd service will start but not start listening.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

iherb_0718 · ‎02-17-2021

Within the Stream app < configuration < distributed forwarder management < There is a default group and MATCHED FORWARDERS but that link is not editable.

alonsocaio · ‎02-16-2021

HI @iherb_0718,

How are you deploying the Splunk Stream app to your servers? Are you using a deployment server? If so, you could try removing your server from the server class that deploys this app. I guess this would uninstall the Splunk Stream app from the server.

disable splunk stream

configuration

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?