Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove Universal Forwarder default monitoring sources

ajmorris
Engager
‎02-14-2014 05:04 AM

I've just installed the Universal Forwarder on Windows using the MSI. During installation, I told it to only monitor one folder of logs. It did that, and it's monitoring all of the windows events, too. That's causing me to exceed my license. I would like to turn off all of the default logging sources, except for the one I selected.

Reading everything I can find, I would expect that those would be listed in the Forwarder's inputs.conf, but there's nothing in there for my folder or for the Windows events. So, where are the settings that I entered using the MSI? And, how do I change them? And, how do I dial down the forwarding to just the one folder that I want?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfuente
Motivator
‎02-14-2014 06:31 AM

Those configurations must reside on an inputs.conf file, these files can be located in multiples locations:

etc/system/local and default
etc/any app/local and default
Users folders...

Anyway if you are not able to found it, you can use this command:

splunk cmd btool inputs list --debug

regards

View solution in original post

Reply
Solved! Jump to solution
Solution

gfuente
Motivator
‎02-14-2014 06:31 AM

Those configurations must reside on an inputs.conf file, these files can be located in multiples locations:

etc/system/local and default
etc/any app/local and default
Users folders...

Anyway if you are not able to found it, you can use this command:

splunk cmd btool inputs list --debug

regards

Reply
Solved! Jump to solution

ajmorris
Engager
‎02-14-2014 08:14 AM

Wow, that was exactly what I needed. It took me a minute to figure out that I need to run that at an admin command prompt, though. The event log monitors were defined in:
\etc\apps\Splunk_TA_windows\default\inputs.conf
Now that I see the TA folder, I understand that it's the Windows Technology Add-On, and it all makes a lot more sense. Thanks you!

Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top