Stop collecting data from a *nix host in ITE Work
You can run a collection agent removal script or stop collecting data manually. To manually stop collecting logs from a host, you can stop the universal forwarder, uninstall the universal forwarder, or just remove the monitor inputs in inputs.conf
on the universal forwarder. To manually stop collecting metrics data from a host, choose one of the following options:
- Stop collectd
- Remove the collectd plug-ins
- Remove collectd on the host
When you stop collecting data from a host, manually remove the entity from ITE Work. For more information, see Manually delete inactive entities in ITE Work.
Prerequisites
Requirement | Description |
---|---|
Dependencies | See Required *nix dependencies. |
Administrator role
(Only required if you're running the collection agent removal script) |
|
Run the collection agent removal script on a *nix host
Get the collection agent removal script from the Add Data page. Run the script in a command line window on the system you want to stop monitoring. When you run the script, it removes collectd and the universal forwarder on the system. If you're using collectd or the universal forwarder for other use cases, don't run the script. The script doesn't just stop data collection for ITE Work entity integrations. The script removes collectd and the universal forwarder entirely.
For Linux and Unix systems, the script installs the unix-agent
, runs unintsall_agent.sh
to remove the universal forwarder and collectd, and then removes the unix-agent
.
Follow these steps to get and run the script:
- From the ITE Work main menu, click Configuration > Data Integrations.
- Select the Unix and Linux chicklet
- Select Collectd.
- In the section that provides the script, select the Remove tab to see the collection agent removal script for the operating system type.
- Copy the script.
- Open a command line window on the host you want to remove the collection agents from.
- Run the script.
Stop collecting logs on a *nix host
To manually stop collecting log data, either stop the universal forwarder, uninstall the universal forwarder, or remove the monitor stanzas you configured for ITE Work entity integrations from inputs.conf
.
To stop the universal forwarder, run this command:
$SPLUNK_HOME/bin/splunk stop
For information about uninstalling the universal forwarder, see Uninstall the universal forwarder in the Splunk Universal Forwarder Forwarder Manual.
If you're using the universal forwarder for other use cases, comment out or remove the monitor stanzas for ITE Work entity integrations in inputs.conf
on the universal forwarder. For more information, see inputs.conf in the Splunk Enterprise Admin Manual.
Stop collectd
Stop collectd so the host will no longer send metrics data to ITE Work. If you're running collectd for other use cases, this isn't the best option, and you should remove the collectd plug-ins that ITE Work uses to collect data.
Here are commands you can run on a host to stop collectd:
$ sudo service collectd stop $ sudo systemctl stop collectd
Remove the write_splunk and collectd plug-ins
Remove the plug-ins if you want to stop sending metrics data to ITE Work but don't want to stop or remove collectd.
For information about collectd and collectd plug-in locations, see collectd package sources, install commands, and locations for ITE Work.
- Go to the collectd plug-in directory.
- Delete the
unix-agent/write_splunk.so
file. - Go to the collectd directory.
- Open the
collectd.conf
file. - Delete the
LoadPlugin "write_splunk"
andPlugin write_splunk
stanzas. They look like this:<LoadPlugin "write_splunk"> FlushInterval 30 </LoadPlugin> <Plugin write_splunk> server "<receiving_server>" port "<hec_port>" token "<hec_token>" ssl true verifyssl false Dimension "entity_type:nix_host" Dimension "key2:value2" </Plugin>
- Save your changes and close the file.
Remove collectd
If you no longer want to collect metrics from a host and aren't using collectd for another use case, you can remove collectd. Find the command to remove collectd on your host according to its operating system in the following table:
Operating system | Command |
---|---|
|
$ sudo apt-get purge --auto-remove collectd |
|
$ sudo yum autoremove collectd |
|
$ sudo zypper remove --clean-deps collectd |
Manually collect logs from a *nix host in ITE Work | Troubleshoot the Unix and Linux entity integration in ITE Work |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3
Feedback submitted, thanks!