Stop collecting data from a *nix host in ITSI
You can run a collection agent removal script or stop collecting data manually. To manually stop collecting logs from a host, you can stop the universal forwarder, uninstall the universal forwarder, or just remove the monitor inputs in
inputs.conf on the universal forwarder. To manually stop collecting metrics data from a host, choose one of the following options:
- Stop collectd
- Remove the collectd plug-ins
- Remove collectd on the host
When you stop collecting data from a host, manually remove the entity from ITSI. For more information, see Manually delete inactive entities in ITSI.
|Dependencies||See Required *nix dependencies.|
*Only if you're running the collection agent removal script.
In Splunk Enterprise, you have to be a user with the
In Splunk Cloud, you have to be a user with the
Run the collection agent removal script on a *nix host
Get the collection agent removal script from the Add Data page. Run the script in a command line window on the system you want to stop monitoring. When you run the script, it removes collectd and the universal forwarder on the system. If you're using collectd or the universal forwarder for other use cases, don't run the script. The script doesn't just stop data collection for ITSI entity integrations. The script removes collectd and the universal forwarder entirely.
For Linux and Unix systems, the script installs the
unintsall_agent.sh to remove the universal forwarder and collectd, and then removes the
Follow these steps to get and run the script:
- From the ITSI main menu, click Configuration > Data Integrations.
- Select the Unix and Linux chicklet
- Select Collectd.
- In the section that provides the script, select the Remove tab to see the collection agent removal script for the operating system type.
- Copy the script.
- Open a command line window on the host you want to remove the collection agents from.
- Run the script.
Stop collecting logs on a *nix host
To manually stop collecting log data, either stop the universal forwarder, uninstall the universal forwarder, or remove the monitor stanzas you configured for ITSI entity integrations from
To stop the universal forwarder, run this command:
For information about uninstalling the universal forwarder, see Uninstall the universal forwarder in the Splunk Universal Forwarder Forwarder Manual.
If you're using the universal forwarder for other use cases, comment out or remove the monitor stanzas for ITSI entity integrations in
inputs.conf on the universal forwarder. For more information, see inputs.conf in the Splunk Enterprise Admin Manual.
Stop collectd so the host will no longer send metrics data to ITSI. If you're running collectd for other use cases, this isn't the best option, and you should remove the collectd plug-ins that ITSI uses to collect data.
Here are commands you can run on a host to stop collectd:
$ sudo service collectd stop $ sudo systemctl stop collectd
Remove the write_splunk and collectd plug-ins
Remove the plug-ins if you want to stop sending metrics data to ITSI but don't want to stop or remove collectd.
For information about collectd and collectd plug-in locations, see collectd package sources, install commands, and locations for ITSI.
- Go to the collectd plug-in directory.
- Delete the
- Go to the collectd directory.
- Open the
- Delete the
Plugin write_splunkstanzas. They look like this:
<LoadPlugin "write_splunk"> FlushInterval 30 </LoadPlugin> <Plugin write_splunk> server "<receiving_server>" port "<hec_port>" token "<hec_token>" ssl true verifyssl false Dimension "entity_type:nix_host" Dimension "key2:value2" </Plugin>
- Save your changes and close the file.
If you no longer want to collect metrics from a host and aren't using collectd for another use case, you can remove collectd. Find the command to remove collectd on your host according to its operating system in the following table:
$ sudo apt-get purge --auto-remove collectd
$ sudo yum autoremove collectd
$ sudo zypper remove --clean-deps collectd
Manually collect logs from a *nix host in ITSI
Troubleshoot the Unix and Linux entity integration in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only