I am using a Universal Forwarder to collect events from a Windows server. In
These are set in $SPLUNK_HOME\etc\apps\MSIcreated\default\inputs.conf
. You could either change the values there so that these inputs are disabled, or override them by adding new stanzas in etc/system/local/inputs.conf where you disable the inputs.
Hi chrissale,
either disable the Windows Add-on on the universal forwarder or setup route and filter on the indexer to filter out the unwanted events. The later must be done on the indexer and is only valid for new events coming in, because the raw data does not get parsed by the universal forwarder.
hope this helps ...
cheers, MuS
These are set in $SPLUNK_HOME\etc\apps\MSIcreated\default\inputs.conf
. You could either change the values there so that these inputs are disabled, or override them by adding new stanzas in etc/system/local/inputs.conf where you disable the inputs.
Hi Ayn, thanks for the quick response. I don't have $SPLUNK_HOME\etc\apps\MSIcreated
. Never-the-less I added to following stanzas to $SPLUNK_HOME\etc\system\local\inputs.conf
and that seems to have done the trick.
[WinEventLog://Application]
disabled = true
[WinEventLog://Security]
disabled = true
[WinEventLog://System]
disabled = true