After removing a monitor on one log file from all ...

smanda · ‎10-05-2016

I removed a monitor on one log file from all the Splunk forwarders in the inputs.conf file and restarted Splunk forwarder and Splunk indexers. However, we still see the new logs been indexed and search results returned.

ddrillic · ‎10-05-2016

What is the btool telling on the forwarders?

 ./splunk cmd btool inputs list monitor

Is it listing the removed files?

smanda · ‎10-05-2016

Output of the command is not listing the removed files.

ddrillic · ‎10-06-2016

And you see fresh data from this particular host on which you ran the btool command, right? Doesn't make any sense.

Anybody has any idea?

smanda · ‎10-06-2016

Yes. Its showing the monitors which we configured in inputs.conf right now.

After removing a monitor on one log file from all my Splunk forwarders, why do I still see search results for that log file?

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?

After removing a monitor on one log file from all my Splunk forwarders, why do I still see search results for that log file?

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...