Deployment Architecture

I edited Disable =1 in inputs.conf on deploymentserver and reloaded but i see that the sourcetypes are still generating events?? please help

sridhar2901
New Member

I edited Disable =1 in inputs.conf on deploymentserver and reloaded but i see that the sourcetypes are still generating events?? please help

Tags (1)
0 Karma

FrankVl
Ultra Champion

And don't forget to check what "stateOnClient" is set to in your serverclass.conf. By default that is set to enabled, which means that the inputs.conf will get pushed to your forwarders in enabled state regardless of the state you set in inputs.conf on the DS.

stateOnClient = enabled | disabled | noop
* If set to "enabled", sets the application state to enabled on the client,
  regardless of state on the deployment server.
* If set to "disabled", set the application state to disabled on the client,
  regardless of state on the deployment server.
* If set to "noop", the state on the client will be the same as on the
  deployment server.
* Can be overridden at the serverClass level and the serverClass:app level.
* Defaults to enabled.
0 Karma

sridhar2901
New Member

My Universal forwarders received the changes but they are not restarting to reflect the change. I had to manually restart all of my 16 forwarders.....Why is is happening??

0 Karma

FrankVl
Ultra Champion

What does your serverclass.conf look like?

0 Karma

493669
Super Champion

Hi,
You need to make disabled=1 and not disable

disabled = [0|1]
* Whether or not the event collector input is active.
* Set this setting to 1 to disable the input, and 0 to enable it.
* Defaults to 1 (disabled).
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...