Stop collecting data from a Windows host in ITSI
You can run a collection agent removal script or stop collecting data manually. To manually stop collecting metrics and logs from a host, choose one of these options:
- Stop the universal forwarder
- Uninstall the universal forwarder
- Remove or comment out stanzas in inputs.conf on the universal forwarder
When you stop collecting data from a host, manually remove the entity from ITSI. For more information, see Manually delete inactive entities in ITSI.
Prerequisites
Requirement | Description |
---|---|
Dependencies | See Required Windows dependencies. |
Administrator role* |
*Only if you're running the collection agent removal script. In Splunk Enterprise, you have to be a user with the admin role. |
Run the collection agent removal script on a Windows host
The following script uninstalls the universal forwarder on the host. You can also get the script from the Add Data page in ITSI. Run the script in a PowerShell window on the system you want to stop monitoring. When you run the script, it removes the universal forwarder on the system. If you're using the universal forwarder for other use cases, don't run the script. The script doesn't just stop data collection for ITSI entity integrations. The script removes the universal forwarder entirely.
Run the wmic
command and specify the universal forwarder to remove from a Windows command prompt:
wmic product where name="UniversalForwarder" call uninstall
Follow these steps to get the script from ITSI:
- From the ITSI main menu, click Configuration > Data Integrations.
- Click the Windows chicklet.
- In the section that provides the script, select the Remove tab to see the collection agent removal script for the operating system type.
Manually stop collecting logs and metrics from a Windows host
To manually stop collecting log or metrics data, either stop the universal forwarder, uninstall the universal forwarder, or remove the monitor stanzas you configured for ITSI entity integrations from inputs.conf. If you're using the universal forwarder for other use cases, don't stop or remove it, and instead just remove the stanzas in inputs.conf you configured for ITSI entity integrations.
To stop the universal forwarder, run this command:
$SPLUNK_HOME/bin/splunk stop
For information about uninstalling the universal forwarder, see Uninstall the universal forwarder in the Splunk Universal Forwarder Forwarder Manual.
If you're using the universal forwarder for other use cases, comment out or remove the stanzas for ITSI entity integrations in inputs.conf on the universal forwarder. For more information, see inputs.conf in the Splunk Enterprise Admin Manual.
Manually collect logs from a Windows host in ITSI | Troubleshoot the Windows entity integration in ITSI |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!