Delete CrowdStrike data input

Delete a CrowdStrike data input from Data Inputs when you no longer need to ingest data from that source.

When you delete a CrowdStrike data input, Data Inputs removes the input configuration, deletes the associated Universal Cloud Forwarder (UCF) connector, and cleans up related configuration files.

  1. Log in to Splunk Cloud and select the Data Inputs app.
  2. In the Ingest inputs tab, select the CrowdStrike data input that you want to delete.
  3. On the details section, select Delete.
  4. Confirm the deletion when prompted.

    Data Inputs initiates the deletion process, which produces the following results:

    • Data Inputs removes the input and its references to any shared configurations and CrowdStrike client configurations.
    • Data Inputs cleans up related configuration files and deletes the associated UCF connector.

    Shared configurations (sensor event filters, device property filters) and CrowdStrike client configurations persist in the system after input deletion, even if no other input references them.

Data Inputs removes the CrowdStrike data input, and it no longer appears in the Ingest inputs list. Data Inputs stops ingesting data from the deleted source. Any data that you already ingested remains in your Splunk indexes and the deletion does not affect it.

Deleting shared configurations and CrowdStrike client configurations

You can delete shared configurations (sensor event filters, device property filters) and CrowdStrike client configurations. You can delete a shared entity only when one of the following conditions is true:

  • The entity is not assigned to any input.
  • The entity is assigned only to the input you are currently managing.

If the entity is used by other inputs, the system prevents deletion.

The following rules apply:

  • Deletion of shared entities takes effect immediately and is permanent. You cannot undo it.
  • You cannot delete system-preset configurations (Default Sensor Events Filter and Default Device Properties Filter).