Have removed a server from the serverclass.conf file and did reload and restart as well, but the server is still displayed in Splunk GUI for the same index.
Windows server which was present in serverclass.conf is decommisioned and hence i edited serverclass.conf to removed the existing server and added the new one...but i can still see logs from the removed server in GUI.
Is there any way that i could stop seeing logs from the particular server?
After removing a server from a server class you can still see it in the deployment server (e.g client with deployment server ip configured when the forwarder was installed)
Along with deploymentclient.conf I'm guessing the inputs.conf on that decommissioned server were not deployed by deployment server. Check the decommissioned server it self for configurations in splunk/etc/system/local
Have manually edited the serverclass.conf file in deployment server and not through GUI. Could not see server added again in serverclass.conf....
checked serverclass.conf file multiple times and ensured that the server name doesnot exist in it
Windows server which was present in serverclass.conf is decommisiomed and hence i edited serverclass.conf to remove the existing server and added the new one...but i could still see logs from the removed server in GUI under same index
What are your time constraints for the search? If the events from that host fall under the time range you are selecting, you are still going to see the host. Once the events age out of that range you will no longer see them.
Run this command and see if windows server shows up.
splunk btool serverclass list --debug | grep 'your_windows_servername' I often land up in situations where I have 2 serverclass.conf files, one in $SPLUNK_HOME/etc/system/local and another in $SPLUNK_HOME/etc/apps/search/local.