Splunk® IT Service Intelligence

Entity Integrations Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Stop collecting data from a *nix host in ITSI

You can run a collection agent removal script or stop collecting data manually. To manually stop collecting logs from a host, you can stop the universal forwarder, uninstall the universal forwarder, or just remove the monitor inputs in inputs.conf on the universal forwarder. To manually stop collecting metrics data from a host, choose one of the following options:

  • Stop collectd
  • Remove the collectd plug-ins
  • Remove collectd on the host

When you stop collecting data from a host, manually remove the entity from ITSI. For more information, see Manually delete inactive entities in ITSI.

Prerequisites

Requirement Description
Dependencies See Required *nix dependencies.
Administrator role*

*Only if you're running the collection agent removal script.

In Splunk Enterprise, you have to be a user with the admin role.

In Splunk Cloud, you have to be a user with the sc_admin role.

Run the collection agent removal script on a *nix host

Get the collection agent removal script from the Add Data page. Run the script in a command line window on the system you want to stop monitoring. When you run the script, it removes collectd and the universal forwarder on the system. If you're using collectd or the universal forwarder for other use cases, don't run the script. The script doesn't just stop data collection for ITSI entity integrations. The script removes collectd and the universal forwarder entirely.

For Linux and Unix systems, the script installs the unix-agent, runs unintsall_agent.sh to remove the universal forwarder and collectd, and then removes the unix-agent.

Follow these steps to get and run the script:

  1. From the ITSI main menu, click Configuration > Data Integrations.
  2. Select the Unix and Linux chicklet
  3. Select Collectd.
  4. In the section that provides the script, select the Remove tab to see the collection agent removal script for the operating system type.
  5. Copy the script.
  6. Open a command line window on the host you want to remove the collection agents from.
  7. Run the script.

Stop collecting logs on a *nix host

To manually stop collecting log data, either stop the universal forwarder, uninstall the universal forwarder, or remove the monitor stanzas you configured for ITSI entity integrations from inputs.conf.

To stop the universal forwarder, run this command:

$SPLUNK_HOME/bin/splunk stop

For information about uninstalling the universal forwarder, see Uninstall the universal forwarder in the Splunk Universal Forwarder Forwarder Manual.

If you're using the universal forwarder for other use cases, comment out or remove the monitor stanzas for ITSI entity integrations in inputs.conf on the universal forwarder. For more information, see inputs.conf in the Splunk Enterprise Admin Manual.

Stop collectd

Stop collectd so the host will no longer send metrics data to ITSI. If you're running collectd for other use cases, this isn't the best option, and you should remove the collectd plug-ins that ITSI uses to collect data.

Here are commands you can run on a host to stop collectd:

$ sudo service collectd stop
$ sudo systemctl stop collectd

Remove the write_splunk and collectd plug-ins

Remove the plug-ins if you want to stop sending metrics data to ITSI but don't want to stop or remove collectd.

For information about collectd and collectd plug-in locations, see collectd package sources, install commands, and locations for ITSI.

  1. Go to the collectd plug-in directory.
  2. Delete the unix-agent/write_splunk.so file.
  3. Go to the collectd directory.
  4. Open the collectd.conf file.
  5. Delete the LoadPlugin "write_splunk" and Plugin write_splunk stanzas. They look like this:
    <LoadPlugin "write_splunk">
    FlushInterval 30
    </LoadPlugin>
    
    <Plugin write_splunk>
    server "<receiving_server>"
    port "<hec_port>"
    token "<hec_token>"
    ssl true
    verifyssl false
    Dimension "entity_type:nix_host" 
    Dimension "key2:value2"
    </Plugin>
    
  6. Save your changes and close the file.

Remove collectd

If you no longer want to collect metrics from a host and aren't using collectd for another use case, you can remove collectd. Find the command to remove collectd on your host according to its operating system in the following table:

Operating system Command
  • Ubuntu
  • Debian
$ sudo apt-get purge --auto-remove collectd
  • CentOS
  • Red Hat Enterprise Linux
  • Fedora
$ sudo yum autoremove collectd
  • SUSE
  • openSUSE
$ sudo zypper remove --clean-deps collectd
Last modified on 10 July, 2020
PREVIOUS
Manually collect logs from a *nix host in ITSI
  NEXT
Troubleshoot the Unix and Linux entity integration in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters