Getting Data In

Does it take time to stop forwarding data when an app is disabled?

cronin2004
Explorer

Hello,

So basically there is an app in one of our universal forwarders that monitors a file. Recently we decided to stop having that file forward its data. For some reason blocking it (using the props and transform combo) doesn't seem to work, but, in a test environment I have determined disabling it at the app level by setting [install] to be disabled in the app.conf and it works (it indexes next to nothing since its coming from a demo machine which would only be used internally). However, I tried in our production environment (~100 events a second) and its still indexing that data.

So my question is, is there an amount of time it will pick up the changes for the new config? Or should it have been working instantly?

Thanks,

Angel

Tags (1)
0 Karma

cronin2004
Explorer

So I think changing the state = disabled worked after all. It appears that two things happened

1) I had to restart splunk again on the universal forwarder that I disabled it on (it didn't seem to take, while others did)
2) I had to wait for a time for the affects to take (in my case, it seemed to take 7 hours).

I'm not altogether sure why, and I could be wrong in that it takes time to become disabled, but now it is completely blocked.

Is it perhaps the amount of traffic it receives and therefore how often the logs are written to? So it may need to wait until it isn't receiving any more?

0 Karma

skhaneja_splunk
Splunk Employee
Splunk Employee

Hey there..

Not sure if you're managing your forwarders through the Deployment Server or not, but in either scenario, setting the state of the app to disabled in it's app.conf will disable the app.

state = disabled | enabled

That said, in order for your forwarder to pick up that change, you must restart it.

If you are using the Deployment Server, you should either comment out the app from being sent, or blacklist the machine from the stanza that ships the app. By doing so, you will guarantee that the data will not be monitored at all, and therefore not sent to your indexers.

Another option would be to comment out the stanza in your inputs.conf to prevent it from being monitored, and then restart the forwarder.

Hope that helps!

cronin2004
Explorer

So it looks like I was doing the right thing (what you also are pointing out) but it didn't seem to take into affect until about 7 hours later

0 Karma

cronin2004
Explorer

So the architecture is that we have Univ. Fowarders forwarding to heavy forwarders. Did you mean just the Universal forwarders (as I restarted every one of them after) or the heavy forwarders as well?

Thanks

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.