Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Are any default apps in universal forwarder unnecessary?

hectorvp
Communicator
‎09-25-2020 06:29 AM

I just installed universal forwarder,

And was deploying my first app using DS, I came accros few apps in place prior to what I configure on UF.

Path: \etc\apps\ 

Apps found are:

introspection_generator_addon

learned

searched

splunk_httpinput

splunk_internal_metrics

SplunkUniversalForwarder

 

Is any them unnecessary and can I remove?

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-25-2020 06:46 AM

Any apps already in place before the UF receives anything from the DS is standard Splunk and shouldn't be touched.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-25-2020 06:46 AM

Any apps already in place before the UF receives anything from the DS is standard Splunk and shouldn't be touched.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Jagadeesh2022
Path Finder
‎12-22-2022 04:18 AM

Hi @richgalloway 

In my case, more volume of data produced from Learned app. Is there any possibility to disable this app: learned? 

If we can't disable how to stop generate logs from this app: learned ?

Your response is much appreciated. 

Regards,

Jagadeesh

@gcusello @ITWhisperer 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-22-2022 06:03 AM

This question is more than 2 years old with an accepted answer.  You should have posted a new question.

The learned app is invoked when data is received without a sourcetype.  To avoid using the app, ensure all data ingested by Splunk has a sourcetype associated with it and that sourcetype is configured in props.conf.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Jagadeesh2022
Path Finder
‎12-22-2022 10:27 AM

@richgalloway 

Sorry to updated in the older question.  

Thanks for your response.  My last question. If we just mention sourcetype in input.conf  is not enough?

I should to mention the same sourcetype again in props.conf ?  

Thanks in advance. 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-22-2022 12:14 PM

If a sourcetype is not in props.conf then it doesn't exist.  Mentioning it in inputs.conf alone is not enough.  Props.conf is where the properties of the sourcetype are specified.  Without them, Splunk has to guess about the sourcetype and often guesses wrong.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...