Splunk® IT Essentials Work

Entity Integrations Manual

This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

Stop collecting data from a *nix host in ITE Work

You can run a collection agent removal script or stop collecting data manually. To manually stop collecting logs from a host, you can stop the universal forwarder, uninstall the universal forwarder, or just remove the monitor inputs in inputs.conf on the universal forwarder. To manually stop collecting metrics data from a host, choose one of the following options:

  • Stop collectd
  • Remove the collectd plug-ins
  • Remove collectd on the host

When you stop collecting data from a host, manually remove the entity from ITE Work. For more information, see Manually delete inactive entities in ITE Work.

Prerequisites

Requirement Description
Dependencies See Required *nix dependencies.
Administrator role

(Only required if you're running the collection agent removal script)

  • In Splunk Enterprise, you have to be a user with the admin role.
  • In Splunk Cloud Platform, you have to be a user with the sc_admin role.

Run the collection agent removal script on a *nix host

Get the collection agent removal script from the Add Data page. Run the script in a command line window on the system you want to stop monitoring. When you run the script, it removes collectd and the universal forwarder on the system. If you're using collectd or the universal forwarder for other use cases, don't run the script. The script doesn't just stop data collection for ITE Work entity integrations. The script removes collectd and the universal forwarder entirely.

For Linux and Unix systems, the script installs the unix-agent, runs unintsall_agent.sh to remove the universal forwarder and collectd, and then removes the unix-agent.

Follow these steps to get and run the script:

  1. From the ITE Work main menu, click Configuration > Data Integrations.
  2. Select the Unix and Linux chicklet
  3. Select Collectd.
  4. In the section that provides the script, select the Remove tab to see the collection agent removal script for the operating system type.
  5. Copy the script.
  6. Open a command line window on the host you want to remove the collection agents from.
  7. Run the script.

Stop collecting logs on a *nix host

To manually stop collecting log data, either stop the universal forwarder, uninstall the universal forwarder, or remove the monitor stanzas you configured for ITE Work entity integrations from inputs.conf.

To stop the universal forwarder, run this command:

$SPLUNK_HOME/bin/splunk stop

For information about uninstalling the universal forwarder, see Uninstall the universal forwarder in the Splunk Universal Forwarder Forwarder Manual.

If you're using the universal forwarder for other use cases, comment out or remove the monitor stanzas for ITE Work entity integrations in inputs.conf on the universal forwarder. For more information, see inputs.conf in the Splunk Enterprise Admin Manual.

Stop collectd

Stop collectd so the host will no longer send metrics data to ITE Work. If you're running collectd for other use cases, this isn't the best option, and you should remove the collectd plug-ins that ITE Work uses to collect data.

Here are commands you can run on a host to stop collectd:

$ sudo service collectd stop
$ sudo systemctl stop collectd

Remove the write_splunk and collectd plug-ins

Remove the plug-ins if you want to stop sending metrics data to ITE Work but don't want to stop or remove collectd.

For information about collectd and collectd plug-in locations, see collectd package sources, install commands, and locations for ITE Work.

  1. Go to the collectd plug-in directory.
  2. Delete the unix-agent/write_splunk.so file.
  3. Go to the collectd directory.
  4. Open the collectd.conf file.
  5. Delete the LoadPlugin "write_splunk" and Plugin write_splunk stanzas. They look like this:
    <LoadPlugin "write_splunk">
    FlushInterval 30
    </LoadPlugin>
    
    <Plugin write_splunk>
    server "<receiving_server>"
    port "<hec_port>"
    token "<hec_token>"
    ssl true
    verifyssl false
    Dimension "entity_type:nix_host" 
    Dimension "key2:value2"
    </Plugin>
    
  6. Save your changes and close the file.

Remove collectd

If you no longer want to collect metrics from a host and aren't using collectd for another use case, you can remove collectd. Find the command to remove collectd on your host according to its operating system in the following table:

Operating system Command
  • Ubuntu
  • Debian
$ sudo apt-get purge --auto-remove collectd
  • CentOS
  • Red Hat Enterprise Linux
  • Fedora
$ sudo yum autoremove collectd
  • SUSE
  • openSUSE
$ sudo zypper remove --clean-deps collectd
Last modified on 28 April, 2023
Manually collect logs from a *nix host in ITE Work   Troubleshoot the Unix and Linux entity integration in ITE Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters