All Apps and Add-ons

data need to control citrix users and sessions only

mfmartins
Engager

HI I setup trial splunk and app for citrix.
The only thing i want to control overtime is
how many concurrent users and sessions i have at a given time.
I'm getting a lot of data (cpu , memory etc etc), and splunk is indexing much more than 500 MB / day for 3 xenapp servers.
What i would like to know is how to setup the forwarder in order to just get / index the minimum data so i can control users and session usage ?

0 Karma
1 Solution

lukejadamec
Super Champion

On the forwarder for all three servers, in the splunkuniversalforwarder\etc\apps folder search all of the apps for \local\inputs.conf files and change the disabled = 0 to disabled = 1 for all inputs that you don't want. Then do the same thing for perfmon.conf and wmi.conf. Then check the splunkuniversalforwarder\etc\system\local folder for those same files and do the same thing.
This will only affect indexing after a Splunk restart on each server after the changes are made. After the restart, let us know if there are any unwanted sourcetypes that are still getting indexed.

View solution in original post

lukejadamec
Super Champion

Good news. Time to tune.

0 Karma

mfmartins
Engager

Hi Luke ,
It looks like that problem of data volume is solved ... now we will work on fine tunning
Thanks !
Regards,
Miguel

0 Karma

mfmartins
Engager

Hi Luke ,
Thanks for your help i will try and get back to give feedback tomorrow).
Miguel

0 Karma

lukejadamec
Super Champion

On the forwarder for all three servers, in the splunkuniversalforwarder\etc\apps folder search all of the apps for \local\inputs.conf files and change the disabled = 0 to disabled = 1 for all inputs that you don't want. Then do the same thing for perfmon.conf and wmi.conf. Then check the splunkuniversalforwarder\etc\system\local folder for those same files and do the same thing.
This will only affect indexing after a Splunk restart on each server after the changes are made. After the restart, let us know if there are any unwanted sourcetypes that are still getting indexed.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...