thanks Sierrax, but not sure where I can find this configuration ? I mean whether we need to check the host machine where logs are getting generated ? Because when I run the below query we are getting events as show below

       host=host1* source = rest://Solarwinds Nodes sourcetype = rest:solarwinds:nodes  

Output
{[-]
results:[[+]
]
}
Show as raw text
And the moment when we hit the Shows as raw text it displays list of server details

"results":[{"solarwinds_node_id":2,"polling_engine_id":14,"polling_engine":"Test01","solarwinds_prefix":"N:","src_ip":"10.X.X.X","host":"","percent_memory_used":62,"cpu_load":11,"up_since":"2016-09-29T19:28:00","host_tier":null},{"solarwinds_node_id":3,"polling_engine_id":13,"polling_engine":"Test07","solarwinds_prefix":"N:","src_ip":"10..X.X.X","host":"","percent_memory_used":58,"cpu_load":11,"up_since":"2016-09-29T18:53:00","host_tier":null},{"solarwinds_node_id":4,"polling_engine_id":2,"polling_engine":"Test01","solarwinds_prefix":"N:","src_ip":"10.X.X.X","host":"","percent_memory_used":16,"cpu_load":6,"up_since":"2016-11-06T19:51:00","host_tier":null},

When checked with users they confirmed that the list of server are having Solar wind application running into it.

Question :

1) From the list of host machine Test01, under opt/SplunkUniversalforwarder/etc/apps/TA-Solarwinds/local/inputs.conf file are already disabled and also the above events are getting into default index main. And there is no Props or transform .conf file present under this folder.

Inputs.conf details
[WinEventLog://Microsoft-IIS-Configuration/Operational]
disabled = 1
ignoreOlderThan = 4d
index = win_srv

2) Whereas in host=host1 server (splunk--> license/deployment instances are running). We could see apps called TA-Solarwinds --> default --> under this folder there are props,transform,eventype,workflow_action.conf and app.conf files.

But not sure from how/where this events are getting into Splunk. so kindly guide me where exactly I need to trouble shoot this issue to disable the events getting into splunk.

thanks in advance.

Hi Sierrax, thanks for your effort on this, I got doubt whether I need to add this below stanza into the props.conf, along with the stanza that are already present in the props.conf as mentioned above comments.

[rest:solarwinds:nodes]
DEST_KEY = nullQueue

thanks in advance.

Ok again...

I'm not sure this is correct ... and I haven't the time to test it the next couple of days for free.

To test:
Build up a Test-Splunk Server in a Virtual Machine with a http-event collector and another Linux VM as sender. Send a few times events with this sourcetype from Linux VM to http-event collector to see it's running in... when this is working correct... write the 2-liner in a props.conf (e.g. in $SPLUNKHOME/search/local/props.conf) ... restart the server and look there are any error messages which are not there before...
Send a few times events with this sourcetype again, and see the source type is still running in or not.
When not check also the licensing, that the events are also not counted on your license.

Time to check this way... I think 1 or 2 hours.

Hi Sierrax, Could please guide on this issue, as these events are taking unwanted space and huge licenses.
thanks in advance.

At the moment I have not the time to build a similar setup to develop and test for Karma.

Possible immediate solutions for you:
- Learn how Splunk works and how to build an app.
- Ask Splunk or Solarwind for support.
- Hire a Splunk Consultant

Hi All, Can any one guide me on the above problem as it consuming more licenses.

thanks in advance.