Hi, I have Splunk set up on my workstation, but do not want to monitor the workstation itself. I have gone to Manager » Data inputs » Event log collections » localhost, and cleared all selected logs (application, security, and system), and hit save. When I go back there, however, these three logs are back in the Selected Log(s) box. I have disabled all other data inputs, but still, I get events for my workstation. Am I doing something wrong? Do I need to send these events to a nullqueue, as described in the link below?
Hello. I'm interested in doing something like that because of the license's warnings. I'm monitorizing several servers from my computer but I don't want my computer's logs at all. I noticed the most info Splunk get is from my computer so I already have 3 warnings!
I have tried to put my computer's info into another index and disable it but I'm not sure that's going to work. I'd like to send my computer's info to a null queue and I tried but I wasn't able.
What exactly do I have to modify in outputs.conf? What about props.conf?
I'll aprecciate any help!
PD. Sorry about my English!
Cool, Thank you. I'll be checking that out tomorrow. If you know of a link for editing outputs.conf, I'd love to read it (I'm not in front of my splunk installation right now, so I can't read the file itself).