Splunk® App for Infrastructure (Legacy)

Administer Splunk App for Infrastructure

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Stop data collection on Splunk App for Infrastructure

To stop data collection, you can:

  • Stop the data collection agents on an entity. Do this if you want to stop data collection temporarily.
  • Remove the data collection agents from an entity. Do this if you want to stop data collection permanently.

Follow these steps according to the OS of the entity from which you want to stop collecting data.

You must stop collecting data from an entity before you delete it from the Splunk App for Infrastructure. If you delete an entity but do not stop data collection, the entity will reappear as soon as collectd sends metrics information to the Splunk App for Infrastructure. If you are collecting data from at least 1,000 entities, you must stop sending data from an entity for approximately 10 minutes before you can delete the entity. For every 10,000 entities from which you are collecting data, wait approximately 10 additional minutes before deleting the entity after stopping data collection from it.

Stop data collection on a *nix entity

To stop collecting log data from a *nix entity, see Uninstall the universal forwarder in the Forwarder Manual.

To stop collecting metrics data from an entity in the Splunk App for Infrastructure, you could stop collectd, remove the collectd plug-ins, or remove collectd on your entity.

What you need to stop or remove collectd

The easiest way to stop or remove collectd is with a package manager. The following steps use these package managers according to the entity's operating system:

For more information about collectd, see About using collectd.

Stop collectd

Stop collectd so that the entity will no longer send metrics data to the Splunk App for Infrastructure.

To stop collectd on a Linux entity:

$ sudo service collectd stop
$ sudo systemctl stop collectd

To stop collectd on an OSX entity:

$ sudo brew services stop collectd

Remove the write_splunk and collectd plug-ins

Remove the plug-ins if you want to stop sending metrics data to the Splunk App for Infrastructure but do not want to remove collectd from your entity.

  1. Go to the collectd plug-in directory.
    1. For a Debian, Ubuntu or OSX entity, the default location is /usr/lib/collectd/.
    2. For a Centos, Redhat, Fedora, SUSE, or openSUSE entity, the default location is /usr/lib64/collectd/.
  2. Delete the unix-agent/write_splunk.so file.
  3. Go to the collectd directory. The default location is /etc/.
  4. Open the collectd.conf file.
  5. Delete the Plugin write_splunk plug-in.

Remove collectd

Remove collectd on a Ubuntu or Debian entity:

$ sudo apt-get purge --auto-remove collectd

Remove collectd on a Centos, Redhat, or Fedora entity:

$ sudo yum autoremove collectd

Remove collectd on a SUSE or openSUSE entity:

$ sudo zypper remove --clean-deps collectd

Remove collectd on an OSX entity:

$ brew remove collectd

Stop data collection on a Windows entity

Stop or remove the universal forwarder that's sending log and metrics data to the Splunk App for Infrastructure. For more information, see Uninstall the universal forwarder in the Forwarder Manual.

Stop data collection from your AWS account

You can either deselect data sources that you no longer want to collect from AWS, or remove your AWS account from the Splunk App for Infrastructure to stop data collection.

  1. From the Splunk App for Infrastructure, go to the Add Data tab.
  2. Select AWS.
  3. Complete one of these options:
    1. In Step 2, deselect the data sources that you no longer want to collect from your AWS account.
    2. At the top of the page, click Delete this account to remove your AWS account.
Last modified on 01 February, 2019
PREVIOUS
Use custom metric indexes in Splunk App for Infrastructure
  NEXT
Configure alert notifications in Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.2.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters