Hi team
i am trying to disable monitor input from Splunk TA Office 365 through the CLI command.
[splunk_ta_o365_management_activity://ACP_General_Audit]
content_type = Audit.General
index = idx_acp_azure_ad
interval = 660
tenant_name = Office365_ACP
start_by_shell = false
disabled = 0
Splunk edit monitor splunk_ta_o365_management_activity://ACP_General_Audit -disabled 1
but, splunk shows me an error
Cannot edit input "/opt/splunk/etc/apps/splunk_ta_o365/local/splunk_ta_o365_management_activity:/ACP_General_Audit", no input exists with that name.
How can i disable this input??
Regards
Hi,
splunk edit monitor CLI edits monitored directory inputs.
The input in the Splunk Add-on for Microsoft Office 365 is a modular input, not a monitor input. So you can not use splunk edit monitor to disable it.
To disable it, there are three ways:
1. you can open the inputs.conf and put disabled=1 under the stanza
2. go to the Web UI -> Settings - Data Inputs -> Microsoft Office 365 Message Trace -> Disable
3. go to the Web UI then go to the Microsoft Office 365 Reporting Add-on for Splunk -> Inputs -> Action -> Disable
Hope it helps.