Hi
I want to disable a few logs from source. How can I do that.
We have a server which forwards OS logs along with application logs. both are being forwarded to different indexes. Now we want to disable application log index. so we want to stop log forwarding from source server itself.
Hi @mrsingh,
if the file already is in local folder, you don't need to move it.
About the grants, I suppose that you are speaking of the Deployment Server's folder "$SPLUNK_HOME/etc/deployment-apps", you need this grant otherwise you cannot edit it.
Only one information: I suppose that you have a Linux Deployment Server, is it correct?
If true, it's easy to modify the grants of this files.
It you have a Windows DS, it isn't a good idea, because you'll surely have problems to deploy apps containing scripts to Linux servers, but anyway, you have to use an administrator with the corrects grants..
Ciao.
Giuseppe
HI Giuseppe
Thank you for your response. I found relevant log file and index details in the search apps, not any other though. in the app.conf of the app , I found that this is default from splunk and used for indexes, however in inputs.conf, it mentioned only one index which I am interested. will it impact the others if I disable it in inputs.conf?
Hi @mrsingh,
at first identify the source value of the data source to disable (the file name and path),
then run on your Splunk the following search
index=*
| stats count dc(index) AS index dc(sourcetype) AS sourcetype BY source
In this way you can understand if the data source disabling have effects on other indexes.
But anyway, if in your inputs.conf stanza there's the index definition, disabling that stanza you disable only the input in one index.
Could you share the inputs.conf that takes the file?
Ciao.
Giuseppe
Hi @gcusello
ofcourse, this is inputs.conf mentions
[monitor:///opt/apache/logs/access.log.*]
disabled = false
index = oc_test
sourcetype = apache_access
I am interested in disabling log forwarding to this index only and the relevant log file is from apache, which is ofcourse needs to be disabled.
Hi @mrsingh,
adding "disabled = 1" to this stanza and restarting Splunk on this machine, you disble only this input.
If you have other inputs that write data in the same index, they will remain active as the index.
An index isn't a DB table, it's a container that can contain many data, also etherogeneous, coming from many data sources, you're now disabling only one data source.
Ciao.
Giuseppe
Thank you @gcusello for explaining it.
I can disable for this input as of now. I have to do it in deployment server as well, right?
Is it possible to see what all data-sources are for an index?
Hi @mrsingh,
yes, using a search similar to the fist one:
| metasearch index=*
| stats values(source) AS source values(sourcetype) AS sourcetype) BY index
If one answersolves your need, please accept it for the other people cof Community.
Ciao.
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @gcusello
I am struggling to edit the inputs.conf file. I read from splunk documentation that it is recommended to copy it in local dir rather than changing it in defaults directory.
However, this apps inputs.conf is already in local directory is not editable. it has write permissions, but still not able to edit. what is the way forward?
thank you for your help
Thanks
Charandeep
Hi @mrsingh,
if the file already is in local folder, you don't need to move it.
About the grants, I suppose that you are speaking of the Deployment Server's folder "$SPLUNK_HOME/etc/deployment-apps", you need this grant otherwise you cannot edit it.
Only one information: I suppose that you have a Linux Deployment Server, is it correct?
If true, it's easy to modify the grants of this files.
It you have a Windows DS, it isn't a good idea, because you'll surely have problems to deploy apps containing scripts to Linux servers, but anyway, you have to use an administrator with the corrects grants..
Ciao.
Giuseppe
thank you so much @gcusello this worked 🙂
Hi @mrsingh,
if you want to stop the log ingestion rom a single data source, you have to go in the Universal Forwarder and disable the data input adding
disable = 1
in the related stanza on inputs.conf.
Remember to restart Splunk on the Forwarder after update.
If your Forwarder is managed by a Deployment Server, you obviously have to update the file in the deployed App on the DS.
Ciao.
Giuseppe