We want to stop monitoring of /etc but it seems the /local/inputs.conf is dynamically created. What do I need to do to stop that being monitored.
Thats weird because splunk won't create a local inputs unless you add a new input. Unless you're referring to its own logs. Sure it brings a default inputs targeting its own logs. Are this the one you want to stop monitoring?
Regardless, you can check whatever splunk is applying for all inputs.conf files by using btool.
./splunk btool inputs list --debug
if you want to disable on input that is available in default you can just use the same stanza (e.g [something_something]
) in local inputs.conf with disabled = true