All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

data need to control citrix users and sessions only

mfmartins
Engager
‎12-11-2013 02:11 PM

HI I setup trial splunk and app for citrix.
The only thing i want to control overtime is
how many concurrent users and sessions i have at a given time.
I'm getting a lot of data (cpu , memory etc etc), and splunk is indexing much more than 500 MB / day for 3 xenapp servers.
What i would like to know is how to setup the forwarder in order to just get / index the minimum data so i can control users and session usage ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎12-11-2013 02:26 PM

On the forwarder for all three servers, in the splunkuniversalforwarder\etc\apps folder search all of the apps for \local\inputs.conf files and change the disabled = 0 to disabled = 1 for all inputs that you don't want. Then do the same thing for perfmon.conf and wmi.conf. Then check the splunkuniversalforwarder\etc\system\local folder for those same files and do the same thing.
This will only affect indexing after a Splunk restart on each server after the changes are made. After the restart, let us know if there are any unwanted sourcetypes that are still getting indexed.

View solution in original post

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎12-12-2013 12:02 PM

Good news. Time to tune.

0 Karma
Reply
Solved! Jump to solution

mfmartins
Engager
‎12-12-2013 11:51 AM

Hi Luke ,
It looks like that problem of data volume is solved ... now we will work on fine tunning
Thanks !
Regards,
Miguel

0 Karma
Reply
Solved! Jump to solution

mfmartins
Engager
‎12-11-2013 02:43 PM

Hi Luke ,
Thanks for your help i will try and get back to give feedback tomorrow).
Miguel

0 Karma
Reply
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎12-11-2013 02:26 PM

On the forwarder for all three servers, in the splunkuniversalforwarder\etc\apps folder search all of the apps for \local\inputs.conf files and change the disabled = 0 to disabled = 1 for all inputs that you don't want. Then do the same thing for perfmon.conf and wmi.conf. Then check the splunkuniversalforwarder\etc\system\local folder for those same files and do the same thing.
This will only affect indexing after a Splunk restart on each server after the changes are made. After the restart, let us know if there are any unwanted sourcetypes that are still getting indexed.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...