HI I setup trial splunk and app for citrix.
The only thing i want to control overtime is
how many concurrent users and sessions i have at a given time.
I'm getting a lot of data (cpu , memory etc etc), and splunk is indexing much more than 500 MB / day for 3 xenapp servers.
What i would like to know is how to setup the forwarder in order to just get / index the minimum data so i can control users and session usage ?
On the forwarder for all three servers, in the splunkuniversalforwarder\etc\apps folder search all of the apps for \local\inputs.conf files and change the disabled = 0 to disabled = 1 for all inputs that you don't want. Then do the same thing for perfmon.conf and wmi.conf. Then check the splunkuniversalforwarder\etc\system\local folder for those same files and do the same thing.
This will only affect indexing after a Splunk restart on each server after the changes are made. After the restart, let us know if there are any unwanted sourcetypes that are still getting indexed.
Hi Luke ,
It looks like that problem of data volume is solved ... now we will work on fine tunning