I have a single instance in CentOS 7 and I am interested in receiving and analyzing logs of my Linux server. But when I installed the Splunk App for Unix and Linux in my single instance, I exceeded my license because I received all logs of my Splunk. So I need to know, how to ignore the logs of my single instance Splunk?
The unix app will have an inputs.conf in it (look at location $Splunk_Home/etc/apps/splunk_app_for_nix/local). YOu can disable inputs by setting disabled = 1 for all the input stanza you want to disable. YOu can also do the same via Splunk Web UI (from Settings->Data Inputs or from the app itself).
The unix app will have an inputs.conf in it (look at location $Splunk_Home/etc/apps/splunk_app_for_nix/local). YOu can disable inputs by setting disabled = 1 for all the input stanza you want to disable. YOu can also do the same via Splunk Web UI (from Settings->Data Inputs or from the app itself).
But if I disable all inputs I will received logs of the other forwarders?
I disable all inputs but I do not see logs but if I realized a capture with tcpdump i see that the packets is getting in the server.
Yes... It'll only disable logging for current servers (whose inputs.conf you're updating).