Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Are any default apps in universal forwarder unnecessary?

hectorvp
Communicator
‎09-25-2020 06:29 AM

I just installed universal forwarder,

And was deploying my first app using DS, I came accros few apps in place prior to what I configure on UF.

Path: \etc\apps\ 

Apps found are:

introspection_generator_addon

learned

searched

splunk_httpinput

splunk_internal_metrics

SplunkUniversalForwarder

 

Is any them unnecessary and can I remove?

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-25-2020 06:46 AM

Any apps already in place before the UF receives anything from the DS is standard Splunk and shouldn't be touched.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-25-2020 06:46 AM

Any apps already in place before the UF receives anything from the DS is standard Splunk and shouldn't be touched.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Jagadeesh2022
Path Finder
‎12-22-2022 04:18 AM

Hi @richgalloway 

In my case, more volume of data produced from Learned app. Is there any possibility to disable this app: learned? 

If we can't disable how to stop generate logs from this app: learned ?

Your response is much appreciated. 

Regards,

Jagadeesh

@gcusello @ITWhisperer 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-22-2022 06:03 AM

This question is more than 2 years old with an accepted answer.  You should have posted a new question.

The learned app is invoked when data is received without a sourcetype.  To avoid using the app, ensure all data ingested by Splunk has a sourcetype associated with it and that sourcetype is configured in props.conf.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Jagadeesh2022
Path Finder
‎12-22-2022 10:27 AM

@richgalloway 

Sorry to updated in the older question.  

Thanks for your response.  My last question. If we just mention sourcetype in input.conf  is not enough?

I should to mention the same sourcetype again in props.conf ?  

Thanks in advance. 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-22-2022 12:14 PM

If a sourcetype is not in props.conf then it doesn't exist.  Mentioning it in inputs.conf alone is not enough.  Props.conf is where the properties of the sourcetype are specified.  Without them, Splunk has to guess about the sourcetype and often guesses wrong.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...