Splunk® App for Infrastructure (Legacy)

Administer Splunk App for Infrastructure

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Stop data collection on Splunk App for Infrastructure

If you delete an entity in the Splunk App for Infrastructure (SAI) but do not stop data collection, the entity will reappear as soon as the system sends metrics data to SAI.

To stop data collection, complete one of these tasks:

  • Run the easy removal script on a host.
  • Manually stop and remove the data collection agents from a host.

If you are collecting data from at least 1,000 entities, you must stop sending data from an entity for approximately 10 minutes before you can delete the entity. For every 10,000 entities from which you are collecting data, wait approximately 10 additional minutes before deleting the entity after stopping data collection from it.

Run the easy removal script

The script removes the universal forwarder on your host. If other apps are still using the universal forwarder on the host, do not use the script to stop data collection.

Follow these steps to get the easy removal script according to the host's operating system and run the script on the host you want to stop monitoring. You can get the script for *nix and Windows systems.

To remove the data collection agents, you must log in to an account with permissions to use sudo for root access. Do not log in as the root user.

Prerequisites

Steps

  1. In the SAI user interface, click the Add Data tab.
  2. From the panel on the left of the window, select the operating system of the host you want to stop monitoring.
  3. Under 2: Copy and paste the following into the command line of your host, select the Remove tab.
  4. Copy the script.
  5. Secure shell (SSH) into the host.
  6. Run the script.

Example Linux/Unix removal script

For Linux/Unix, the script installs the unix-agent, runs unintsall_agent.sh to remove the universal forwarder and collectd, and then removes the unix-agent.

wget --no-check-certificate <hostname>:/static/app/splunk_app_infrastructure/unix_agent/unix-agent.tgz && tar -xzf unix-agent.tgz && cd unix-agent && bash uninstall_agent.sh && cd .. && rm -rf unix-agent

Example Mac OS X removal script

For Mac OS X, the script installs the osx-agent, runs unintsall_agent.sh to remove the universal forwarder and collectd, and then removes the osx-agent.

curl -ksL -o osx-agent.tgz <hostname>:/static/app/splunk_app_infrastructure/osx_agent/osx-agent.tgz && tar -xzf osx-agent.tgz && cd osx-agent && bash uninstall_agent.sh && cd .. && rm -rf osx-agent

Example Windows removal script

For Windows, the script runs a wmic command to uninstall the universal forwarder.

wmic product where name="UniversalForwarder" call uninstall

Manually stop data collection from a *nix host

To stop collecting log data from a *nix host, see Uninstall the universal forwarder in the Splunk Universal Forwarder Forwarder Manual.

To stop collecting metrics data from a host in SAI, you must stop collectd, remove the collectd plug-ins, or remove collectd on your host.

What you need to stop or remove collectd

You need command line access to the system you want to stop collecting data from.

The easiest way to stop or remove collectd is with a package manager. The following steps use these package managers, according to the host's operating system:

For more information about collectd, see About using collectd.

Stop collectd

Stop collectd so that the host will no longer send metrics data to SAI.

Stop collectd on a Linux host:

$ sudo service collectd stop
$ sudo systemctl stop collectd

Stop collectd on an OSX host:

$ sudo brew services stop collectd

Remove the write_splunk and collectd plug-ins

Remove the plug-ins if you want to stop sending metrics data to SAI but do not want to remove collectd from your host.

For information about collectd and collectd plug-in locations, see collectd package sources, install commands, and locations.

  1. Go to the collectd plug-in directory.
  2. Delete the unix-agent/write_splunk.so file.
  3. Go to the collectd directory.
  4. Open the collectd.conf file.
  5. Delete the Plugin write_splunk plug-in.

Remove collectd

Remove collectd on a Ubuntu or Debian host:

$ sudo apt-get purge --auto-remove collectd

Remove collectd on a Centos, Redhat, or Fedora host:

$ sudo yum autoremove collectd

Remove collectd on a SUSE or openSUSE host:

$ sudo zypper remove --clean-deps collectd

Remove collectd on an OSX host:

$ brew remove collectd

Manually stop data collection from a Windows host

Stop or remove the universal forwarder that's sending log and metrics data to SAI. See Uninstall the universal forwarder in the Splunk Universal Forwarder Forwarder Manual.

Manually stop data collection from your AWS account

You can either deselect data sources that you no longer want to collect from AWS, or remove your AWS account from SAI to stop data collection.

  1. From SAI, go to the Add Data tab.
  2. Select AWS.
  3. Complete one of these options:
    1. In Step 2, deselect the data sources that you no longer want to collect from your AWS account.
    2. At the top of the page, click Delete this account to remove your AWS account.

Manually stop data collection for a Kubernetes cluster

Delete the release name from the Kubernetes cluster to stop data collection from the cluster. Deleting the release name removes the Splunk Connect for Kubernetes (SCK) components that handle log and metrics data collection.

Prerequisites

  • Command line access to the host system that runs the Kubernetes cluster.
  • Permissions to execute Helm commands on the host system.

Steps

Delete the release name to remove the data collection components from the Kubernetes Cluster:

$ helm delete --purge $<release_name>

where <release_name> is the Release name you specified when configuring the data collection script.

Manually stop data collection for an OpenShift cluster

To stop collecting data from an OpenShift cluster, delete the Splunk Connect for Kubernetes (SCK) Helm charts and remove the project.

Prerequisites

  • Command line access to the host system that runs the OpenShift cluster.
  • You have permission to execute oc commands.

Steps

Follow these steps to delete the Helm charts and remove the project from your OpenShift cluster. When you delete the Helm charts, you stop the pods and other objects the Helm charts configure.

  1. Go to the project that has SCK. This is the project you created when configuring data collection for the OpenShift cluster.
    $ oc project <OpenShift_Project>
    
  2. Delete the splunk-kubernetes-metrics Helm chart.
    $ oc delete -f ./rendered-charts/splunk-connect-for-kubernetes/charts/splunk-kubernetes-metrics/templates/
    
  3. Delete the splunk-kubernetes-logging Helm chart.
    $ oc delete -f rendered-charts/splunk-connect-for-kubernetes/charts/splunk-kubernetes-logging/templates/
    
  4. Delete the splunk-kubernetes-objects Helm chart.
    $ oc delete -f rendered-charts/splunk-connect-for-kubernetes/charts/splunk-kubernetes-objects/templates/
    
  5. Delete the OpenShift project.
    $ oc delete project <OpenShift_Project>
    
  6. Remove the rendered-charts/ directory.
    $ rm -rf rendered-charts/
    
Last modified on 08 July, 2020
PREVIOUS
Configure the HTTP Event Collector to receive metrics data for SAI
  NEXT
Collect Linux/Unix metrics and logs with Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1 Cloud only, 2.2.0 Cloud only, 2.2.1, 2.2.3 Cloud only, 2.2.4, 2.2.5


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters