Solved: Re: Splunk App for Unix and Linux: How to ignore t...

paola92 · ‎03-13-2017

I have a single instance in CentOS 7 and I am interested in receiving and analyzing logs of my Linux server. But when I installed the Splunk App for Unix and Linux in my single instance, I exceeded my license because I received all logs of my Splunk. So I need to know, how to ignore the logs of my single instance Splunk?

somesoni2 · ‎03-13-2017

The unix app will have an inputs.conf in it (look at location $Splunk_Home/etc/apps/splunk_app_for_nix/local). YOu can disable inputs by setting disabled = 1 for all the input stanza you want to disable. YOu can also do the same via Splunk Web UI (from Settings->Data Inputs or from the app itself).

View solution in original post

somesoni2 · ‎03-13-2017

The unix app will have an inputs.conf in it (look at location $Splunk_Home/etc/apps/splunk_app_for_nix/local). YOu can disable inputs by setting disabled = 1 for all the input stanza you want to disable. YOu can also do the same via Splunk Web UI (from Settings->Data Inputs or from the app itself).

paola92 · ‎03-13-2017

But if I disable all inputs I will received logs of the other forwarders?

paola92 · ‎03-14-2017

I disable all inputs but I do not see logs but if I realized a capture with tcpdump i see that the packets is getting in the server.

somesoni2 · ‎03-13-2017

Yes... It'll only disable logging for current servers (whose inputs.conf you're updating).

Splunk App for Unix and Linux: How to ignore the logs of my single instance?

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Almost Too Eventful Assurance: Part 1

Are you a member of the Splunk Community?

Splunk App for Unix and Linux: How to ignore the logs of my single instance?

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Almost Too Eventful Assurance: Part 1