Have manually edited the serverclass.conf file in deployment server and not through GUI. Could not see server added again in serverclass.conf....
checked serverclass.conf file multiple times and ensured that the server name doesnot exist in it

Where is your serverclass.conf file located?

/opt/app/ecomm/splunk/etc/system/local/serverclass.conf

Am I correct in assuming you are trying to stop a server from receiving a TA with an input in it? If not, can you elaborate more on what you are trying to accomplish?

Windows server which was present in serverclass.conf is decommisiomed and hence i edited serverclass.conf to remove the existing server and added the new one...but i could still see logs from the removed server in GUI under same index

Is there any way that i could stop seeing logs from the particular server?

What are your time constraints for the search? If the events from that host fall under the time range you are selecting, you are still going to see the host. Once the events age out of that range you will no longer see them.

I am searching out of the range only like one minute a ago and could see logs for current minutes

Hi there,

Run this command and see if windows server shows up. splunk btool serverclass list --debug | grep 'your_windows_servername' I often land up in situations where I have 2 serverclass.conf files, one in $SPLUNK_HOME/etc/system/local and another in $SPLUNK_HOME/etc/apps/search/local.