Solved: How can I disable a few logs from source?

mrsingh · ‎09-08-2022

Hi

I want to disable a few logs from source. How can I do that.

We have a server which forwards OS logs along with application logs. both are being forwarded to different indexes. Now we want to disable application log index. so we want to stop log forwarding from source server itself.

gcusello · ‎09-09-2022

Hi @mrsingh,

if the file already is in local folder, you don't need to move it.

About the grants, I suppose that you are speaking of the Deployment Server's folder "$SPLUNK_HOME/etc/deployment-apps", you need this grant otherwise you cannot edit it.

Only one information: I suppose that you have a Linux Deployment Server, is it correct?

If true, it's easy to modify the grants of this files.

It you have a Windows DS, it isn't a good idea, because you'll surely have problems to deploy apps containing scripts to Linux servers, but anyway, you have to use an administrator with the corrects grants..

Ciao.

Giuseppe

View solution in original post

mrsingh · ‎09-08-2022

HI Giuseppe

Thank you for your response. I found relevant log file and index details in the search apps, not any other though. in the app.conf of the app , I found that this is default from splunk and used for indexes, however in inputs.conf, it mentioned only one index which I am interested. will it impact the others if I disable it in inputs.conf?

gcusello · ‎09-08-2022

Hi @mrsingh,

at first identify the source value of the data source to disable (the file name and path),

then run on your Splunk the following search

index=*
| stats count dc(index) AS index dc(sourcetype) AS sourcetype BY source

In this way you can understand if the data source disabling have effects on other indexes.

But anyway, if in your inputs.conf stanza there's the index definition, disabling that stanza you disable only the input in one index.

Could you share the inputs.conf that takes the file?

Ciao.

Giuseppe

mrsingh · ‎09-08-2022

Hi @gcusello

ofcourse, this is inputs.conf mentions

[monitor:///opt/apache/logs/access.log.*]
disabled = false
index = oc_test
sourcetype = apache_access

I am interested in disabling log forwarding to this index only and the relevant log file is from apache, which is ofcourse needs to be disabled.

gcusello · ‎09-08-2022

Hi @mrsingh,

adding "disabled = 1" to this stanza and restarting Splunk on this machine, you disble only this input.

If you have other inputs that write data in the same index, they will remain active as the index.

An index isn't a DB table, it's a container that can contain many data, also etherogeneous, coming from many data sources, you're now disabling only one data source.

Ciao.

Giuseppe

mrsingh · ‎09-08-2022

Thank you @gcusello for explaining it.

I can disable for this input as of now. I have to do it in deployment server as well, right?

Is it possible to see what all data-sources are for an index?

gcusello · ‎09-08-2022

Hi @mrsingh,

yes, using a search similar to the fist one:

| metasearch index=*
| stats values(source) AS source values(sourcetype) AS sourcetype) BY index

If one answersolves your need, please accept it for the other people cof Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

mrsingh · ‎09-09-2022

Hi @gcusello

I am struggling to edit the inputs.conf file. I read from splunk documentation that it is recommended to copy it in local dir rather than changing it in defaults directory.

However, this apps inputs.conf is already in local directory is not editable. it has write permissions, but still not able to edit. what is the way forward?

thank you for your help

Thanks

Charandeep

gcusello · ‎09-09-2022

Hi @mrsingh,

if the file already is in local folder, you don't need to move it.

About the grants, I suppose that you are speaking of the Deployment Server's folder "$SPLUNK_HOME/etc/deployment-apps", you need this grant otherwise you cannot edit it.

Only one information: I suppose that you have a Linux Deployment Server, is it correct?

If true, it's easy to modify the grants of this files.

It you have a Windows DS, it isn't a good idea, because you'll surely have problems to deploy apps containing scripts to Linux servers, but anyway, you have to use an administrator with the corrects grants..

Ciao.

Giuseppe

mrsingh · ‎09-09-2022

thank you so much @gcusello this worked 🙂

gcusello · ‎09-08-2022

Hi @mrsingh,

if you want to stop the log ingestion rom a single data source, you have to go in the Universal Forwarder and disable the data input adding

disable = 1

in the related stanza on inputs.conf.

Remember to restart Splunk on the Forwarder after update.

If your Forwarder is managed by a Deployment Server, you obviously have to update the file in the deployed App on the DS.

Ciao.

Giuseppe

How can I disable a few logs from source?

indexer

Linux

universal forwarder

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!