Hello,
I'm looking for advice on how to handle systems that are removed from the network.
We have several hundred Windows systems with the UniversalForwarder installed, sending log data to our Splunk server. As systems are decommissioned, I want to keep the log data from those retired systems in Splunk for compliance reasons. But I no longer want the retired system's host name to appear in the Data Summary window in Splunk Search. I only want live production systems to appear on that screen.
Is it just a matter of deleting the client name from the Forwarder Management screen?
Thanks,
Greg
↧