Splunk® IT Essentials Work

Entity Integrations Manual

This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

Stop collecting data from a Windows host in ITE Work

You can run a collection agent removal script or stop collecting data manually. To manually stop collecting metrics and logs from a host, choose one of these options:

  • Stop the universal forwarder
  • Uninstall the universal forwarder
  • Remove or comment out stanzas in inputs.conf on the universal forwarder

When you stop collecting data from a host, manually remove the entity from ITE Work. For more information, see Manually delete inactive entities in ITE Work.

Prerequisites

Requirement Description
Dependencies See Required Windows dependencies.
Administrator role*

*Only if you're running the collection agent removal script.

In Splunk Enterprise, you have to be a user with the admin role.

Run the collection agent removal script on a Windows host

The following script uninstalls the universal forwarder on the host. You can also get the script from the Add Data page in ITE Work. Run the script in a PowerShell window on the system you want to stop monitoring. When you run the script, it removes the universal forwarder on the system. If you're using the universal forwarder for other use cases, don't run the script. The script doesn't just stop data collection for ITE Work entity integrations. The script removes the universal forwarder entirely.

Run the wmic command and specify the universal forwarder to remove from a Windows command prompt:

wmic product where name="UniversalForwarder" call uninstall

Follow these steps to get the script from ITE Work:

  1. From the ITE Work main menu, click Configuration > Data Integrations.
  2. Click the Windows chicklet.
  3. In the section that provides the script, select the Remove tab to see the collection agent removal script for the operating system type.

Manually stop collecting logs and metrics from a Windows host

To manually stop collecting log or metrics data, either stop the universal forwarder, uninstall the universal forwarder, or remove the monitor stanzas you configured for ITE Work entity integrations from inputs.conf. If you're using the universal forwarder for other use cases, don't stop or remove it, and instead just remove the stanzas in inputs.conf you configured for ITE Work entity integrations.

To stop the universal forwarder, run this command:

$SPLUNK_HOME/bin/splunk stop

For information about uninstalling the universal forwarder, see Uninstall the universal forwarder in the Splunk Universal Forwarder Forwarder Manual.

If you're using the universal forwarder for other use cases, comment out or remove the stanzas for ITE Work entity integrations in inputs.conf on the universal forwarder. For more information, see inputs.conf in the Splunk Enterprise Admin Manual.

Last modified on 28 April, 2023
Manually collect logs from a Windows host in ITE Work   Troubleshoot the Windows entity integration in ITE Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters