Splunk IT Service Intelligence

Why are my Serverclass.conf changes not reflecting in the Splunk GUI?

saran53
New Member

Have removed a server from the serverclass.conf file and did reload and restart as well, but the server is still displayed in Splunk GUI for the same index.

Windows server which was present in serverclass.conf is decommisioned and hence i edited serverclass.conf to removed the existing server and added the new one...but i can still see logs from the removed server in GUI.

Is there any way that i could stop seeing logs from the particular server?

0 Karma

diogofgm
SplunkTrust
SplunkTrust

After removing a server from a server class you can still see it in the deployment server (e.g client with deployment server ip configured when the forwarder was installed)
Along with deploymentclient.conf I'm guessing the inputs.conf on that decommissioned server were not deployed by deployment server. Check the decommissioned server it self for configurations in splunk/etc/system/local

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

vishaltaneja070
Motivator

Hello @saran53

Dd you try to remove the server using GUI through deployment server?

Is there any condition mentioned which is adding the server again in serverclass.conf?

0 Karma

saran53
New Member

Have manually edited the serverclass.conf file in deployment server and not through GUI. Could not see server added again in serverclass.conf....
checked serverclass.conf file multiple times and ensured that the server name doesnot exist in it

0 Karma

integratorz
Path Finder

Where is your serverclass.conf file located?

0 Karma

saran53
New Member

/opt/app/ecomm/splunk/etc/system/local/serverclass.conf

0 Karma

integratorz
Path Finder

Am I correct in assuming you are trying to stop a server from receiving a TA with an input in it? If not, can you elaborate more on what you are trying to accomplish?

0 Karma

saran53
New Member

Windows server which was present in serverclass.conf is decommisiomed and hence i edited serverclass.conf to remove the existing server and added the new one...but i could still see logs from the removed server in GUI under same index

0 Karma

saran53
New Member

Is there any way that i could stop seeing logs from the particular server?

0 Karma

integratorz
Path Finder

What are your time constraints for the search? If the events from that host fall under the time range you are selecting, you are still going to see the host. Once the events age out of that range you will no longer see them.

0 Karma

saran53
New Member

I am searching out of the range only like one minute a ago and could see logs for current minutes

0 Karma

sudosplunk
Motivator

Hi there,

Run this command and see if windows server shows up. splunk btool serverclass list --debug | grep 'your_windows_servername' I often land up in situations where I have 2 serverclass.conf files, one in $SPLUNK_HOME/etc/system/local and another in $SPLUNK_HOME/etc/apps/search/local.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...