Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove Universal Forwarder default monitoring sources

ajmorris
Engager
‎02-14-2014 05:04 AM

I've just installed the Universal Forwarder on Windows using the MSI. During installation, I told it to only monitor one folder of logs. It did that, and it's monitoring all of the windows events, too. That's causing me to exceed my license. I would like to turn off all of the default logging sources, except for the one I selected.

Reading everything I can find, I would expect that those would be listed in the Forwarder's inputs.conf, but there's nothing in there for my folder or for the Windows events. So, where are the settings that I entered using the MSI? And, how do I change them? And, how do I dial down the forwarding to just the one folder that I want?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfuente
Motivator
‎02-14-2014 06:31 AM

Those configurations must reside on an inputs.conf file, these files can be located in multiples locations:

etc/system/local and default
etc/any app/local and default
Users folders...

Anyway if you are not able to found it, you can use this command:

splunk cmd btool inputs list --debug

regards

View solution in original post

Reply
Solved! Jump to solution
Solution

gfuente
Motivator
‎02-14-2014 06:31 AM

Those configurations must reside on an inputs.conf file, these files can be located in multiples locations:

etc/system/local and default
etc/any app/local and default
Users folders...

Anyway if you are not able to found it, you can use this command:

splunk cmd btool inputs list --debug

regards

Reply
Solved! Jump to solution

ajmorris
Engager
‎02-14-2014 08:14 AM

Wow, that was exactly what I needed. It took me a minute to figure out that I need to run that at an admin command prompt, though. The event log monitors were defined in:
\etc\apps\Splunk_TA_windows\default\inputs.conf
Now that I see the TA folder, I understand that it's the Windows Technology Add-On, and it all makes a lot more sense. Thanks you!

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...