Splunk IT Service Intelligence

Why are my Serverclass.conf changes not reflecting in the Splunk GUI?

saran53
New Member

Have removed a server from the serverclass.conf file and did reload and restart as well, but the server is still displayed in Splunk GUI for the same index.

Windows server which was present in serverclass.conf is decommisioned and hence i edited serverclass.conf to removed the existing server and added the new one...but i can still see logs from the removed server in GUI.

Is there any way that i could stop seeing logs from the particular server?

0 Karma

diogofgm
SplunkTrust
SplunkTrust

After removing a server from a server class you can still see it in the deployment server (e.g client with deployment server ip configured when the forwarder was installed)
Along with deploymentclient.conf I'm guessing the inputs.conf on that decommissioned server were not deployed by deployment server. Check the decommissioned server it self for configurations in splunk/etc/system/local

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma

vishaltaneja070
Motivator

Hello @saran53

Dd you try to remove the server using GUI through deployment server?

Is there any condition mentioned which is adding the server again in serverclass.conf?

0 Karma

saran53
New Member

Have manually edited the serverclass.conf file in deployment server and not through GUI. Could not see server added again in serverclass.conf....
checked serverclass.conf file multiple times and ensured that the server name doesnot exist in it

0 Karma

integratorz
Path Finder

Where is your serverclass.conf file located?

0 Karma

saran53
New Member

/opt/app/ecomm/splunk/etc/system/local/serverclass.conf

0 Karma

integratorz
Path Finder

Am I correct in assuming you are trying to stop a server from receiving a TA with an input in it? If not, can you elaborate more on what you are trying to accomplish?

0 Karma

saran53
New Member

Windows server which was present in serverclass.conf is decommisiomed and hence i edited serverclass.conf to remove the existing server and added the new one...but i could still see logs from the removed server in GUI under same index

0 Karma

saran53
New Member

Is there any way that i could stop seeing logs from the particular server?

0 Karma

integratorz
Path Finder

What are your time constraints for the search? If the events from that host fall under the time range you are selecting, you are still going to see the host. Once the events age out of that range you will no longer see them.

0 Karma

saran53
New Member

I am searching out of the range only like one minute a ago and could see logs for current minutes

0 Karma

sudosplunk
Motivator

Hi there,

Run this command and see if windows server shows up. splunk btool serverclass list --debug | grep 'your_windows_servername' I often land up in situations where I have 2 serverclass.conf files, one in $SPLUNK_HOME/etc/system/local and another in $SPLUNK_HOME/etc/apps/search/local.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!