All Apps and Add-ons

Splunk App for Unix and Linux: How to ignore the logs of my single instance?

paola92
Explorer

I have a single instance in CentOS 7 and I am interested in receiving and analyzing logs of my Linux server. But when I installed the Splunk App for Unix and Linux in my single instance, I exceeded my license because I received all logs of my Splunk. So I need to know, how to ignore the logs of my single instance Splunk?

0 Karma
1 Solution

somesoni2
Revered Legend

The unix app will have an inputs.conf in it (look at location $Splunk_Home/etc/apps/splunk_app_for_nix/local). YOu can disable inputs by setting disabled = 1 for all the input stanza you want to disable. YOu can also do the same via Splunk Web UI (from Settings->Data Inputs or from the app itself).

View solution in original post

0 Karma

somesoni2
Revered Legend

The unix app will have an inputs.conf in it (look at location $Splunk_Home/etc/apps/splunk_app_for_nix/local). YOu can disable inputs by setting disabled = 1 for all the input stanza you want to disable. YOu can also do the same via Splunk Web UI (from Settings->Data Inputs or from the app itself).

0 Karma

paola92
Explorer

But if I disable all inputs I will received logs of the other forwarders?

0 Karma

paola92
Explorer

I disable all inputs but I do not see logs but if I realized a capture with tcpdump i see that the packets is getting in the server.

0 Karma

somesoni2
Revered Legend

Yes... It'll only disable logging for current servers (whose inputs.conf you're updating).

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...