How do I disable monitor input?

evinasco · ‎10-22-2018

Hi team

i am trying to disable monitor input from Splunk TA Office 365 through the CLI command.

[splunk_ta_o365_management_activity://ACP_General_Audit]
content_type = Audit.General
index = idx_acp_azure_ad
interval = 660
tenant_name = Office365_ACP
start_by_shell = false
disabled = 0

Splunk edit monitor splunk_ta_o365_management_activity://ACP_General_Audit -disabled 1

but, splunk shows me an error

Cannot edit input "/opt/splunk/etc/apps/splunk_ta_o365/local/splunk_ta_o365_management_activity:/ACP_General_Audit", no input exists with that name.

How can i disable this input??

Regards

lqiao2 · ‎10-22-2018

Hi,

splunk edit monitor CLI edits monitored directory inputs.

The input in the Splunk Add-on for Microsoft Office 365 is a modular input, not a monitor input. So you can not use splunk edit monitor to disable it.

To disable it, there are three ways:
1. you can open the inputs.conf and put disabled=1 under the stanza
2. go to the Web UI -> Settings - Data Inputs -> Microsoft Office 365 Message Trace -> Disable
3. go to the Web UI then go to the Microsoft Office 365 Reporting Add-on for Splunk -> Inputs -> Action -> Disable

Hope it helps.

How do I disable monitor input?

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

How do I disable monitor input?

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk