All Apps and Add-ons

How do I disable monitor input?


Hi team

i am trying to disable monitor input from Splunk TA Office 365 through the CLI command.

content_type = Audit.General
index = idx_acp_azure_ad
interval = 660
tenant_name = Office365_ACP
start_by_shell = false
disabled = 0

Splunk edit monitor splunk_ta_o365_management_activity://ACP_General_Audit -disabled 1

but, splunk shows me an error

Cannot edit input "/opt/splunk/etc/apps/splunk_ta_o365/local/splunk_ta_o365_management_activity:/ACP_General_Audit", no input exists with that name.

How can i disable this input??


0 Karma

Path Finder


splunk edit monitor CLI edits monitored directory inputs.

The input in the Splunk Add-on for Microsoft Office 365 is a modular input, not a monitor input. So you can not use splunk edit monitor to disable it.

To disable it, there are three ways:
1. you can open the inputs.conf and put disabled=1 under the stanza
2. go to the Web UI -> Settings - Data Inputs -> Microsoft Office 365 Message Trace -> Disable
3. go to the Web UI then go to the Microsoft Office 365 Reporting Add-on for Splunk -> Inputs -> Action -> Disable

Hope it helps.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!