Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Internal Logs from Forwarders not stopped

amulay26
Path Finder
‎09-24-2018 02:33 PM

I am trying to stop the splunkd.log and metrics.log from Windows Universal Forwarders.

Since it is a distributed environment, I deployed a small base app config to make this happen. My inputs.conf stanza looks like as follows:

[monitor://$SPLUNK_HOME\var\log\splunk\splunkd.log]
index = _internal
disabled = true

[monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]
index = _internal
disabled = true

Any suggestions?

Thanks in advance.

  • Akshay
Tags (1)
0 Karma
Reply

HiroshiSatoh
Champion
‎09-24-2018 09:27 PM

There is a possibility that settings are duplicated. How about excluding it as a black list?

[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal

※ Restart is okay?

0 Karma
Reply

amulay26
Path Finder
‎09-25-2018 12:39 PM

Do you mean excluding at as a blacklist in outputs.conf?

I have enabled restart splunkd option while deploying it from deployment server.

0 Karma
Reply

HiroshiSatoh
Champion
‎09-25-2018 08:52 PM

Set blacklist in inputs.conf. See blacklist setting in the default inputs.conf.

[blacklist:$SPLUNK_HOME\etc\auth]
Please add the setting in the same way.

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...