I am trying to stop the splunkd.log and metrics.log from Windows Universal Forwarders.
Since it is a distributed environment, I deployed a small base app config to make this happen. My inputs.conf stanza looks like as follows:
[monitor://$SPLUNK_HOME\var\log\splunk\splunkd.log]
index = _internal
disabled = true
[monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]
index = _internal
disabled = true
Any suggestions?
Thanks in advance.
There is a possibility that settings are duplicated. How about excluding it as a black list?
[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal
※ Restart is okay?
Do you mean excluding at as a blacklist in outputs.conf?
I have enabled restart splunkd option while deploying it from deployment server.
Set blacklist in inputs.conf. See blacklist setting in the default inputs.conf.
[blacklist:$SPLUNK_HOME\etc\auth]
Please add the setting in the same way.