All Apps and Add-ons

Can you disable inputs from one TA using another TA?

eblackburn
Path Finder

Is it possible to disable some stanzas from, for example, the Windows TA, using another TA? I apologize ahead of time if this comes off newb-ish and needlessly complex, but we've run into an interesting problem.

We have a number of Citrix XenApp servers in our environment and a little while back, they began struggling with some of the processes that Splunk spawns through scripted inputs. They were taking up a lot of CPU and RAM. The short-term fix seemed to be disabling these inputs, like [admon] and [WinRegMon] and setting them to interval =-1. I found these stanzas in both the \etc\system\ inputs.conf and the Windows TA inputs.conf.

To keep them disabled, and only put this in place on Citrix servers, I created a Citrix server class. Then I took the Windows TA, copied it, renamed it to something else, and kept everything the same except that I disabled those stanzas for this "Citrix" Windows TA (they are enabled on the standard Windows TA). This accomplished the goal of keeping them disabled for Citrix, but I'm not a fan of this solution because there are probably references within the Windows TA that need it to have the standard folder path ("Splunk_TA_windows"). I've already located and corrected a couple.

So I'm interested in moving the Citrix servers back to the standard Splunk_TA_windows TA, but want to keep those stanzas disabled for just those servers.

My question: Can I create a custom TA, apply it just to that Citrix server class, and just have an inputs.conf file with those stanzas disabled? I'm just not sure which TA would "win", if they had conflicting instructions for the stanzas: Splunk_TA_windows saying that [WinRegMon] is not disabled, for example, but the custom TA saying that it should be disabled.

So the custom TA inputs.conf file would have stanzas like this:

[WinRegMon]
disabled=1
interval=-1
baseline=0

[admon]
interval=-1
disabled=1
baseline=0

Labels (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You can disable the inputs in different app. You just have to ensure that name of that "disabling" app is set appropriately that it takes precedence over the Splunk_TA_Windows. Have a look at this link to know that.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Wheretofindtheconfigurationfiles#Summary_of...

 Basically just use any starting letter that comes before "S" (capital S).

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

You can disable the inputs in different app. You just have to ensure that name of that "disabling" app is set appropriately that it takes precedence over the Splunk_TA_Windows. Have a look at this link to know that.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Wheretofindtheconfigurationfiles#Summary_of...

 Basically just use any starting letter that comes before "S" (capital S).

eblackburn
Path Finder

That's great information, thank you to both of you!

0 Karma

PickleRick
SplunkTrust
SplunkTrust

To clarify - if your inputs are defined in some app's default directory, you should be able to overwrite the settings using any app's local directory. If the setting is defined in a local directory of some app, you'll need a setting within a local directory of an app of a higher lexicographic priority.

0 Karma

eblackburn
Path Finder

Understood, thanks! I've tested it and it works. I'm able to overwrite stanzas in the Windows TA\local folder by using a higher precedence, custom TA I made. That's exactly what I wanted.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Wheretofindtheconfigurationfiles

Inputs work in the global context so you don't have to worry much about app permissions.

Always if you're unsure what the resulting settings are, use btool to check for interesting props, transforms, inputs or whatever type of configurations you want. It will show you the resulting combined settings.

One caveat - it doesn't work that way for accelerated models summary sharing. But it's a very very very specific case.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...