Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Remove Universal Forwarder default monitoring sources

ajmorris
Engager
‎02-14-2014 05:04 AM

I've just installed the Universal Forwarder on Windows using the MSI. During installation, I told it to only monitor one folder of logs. It did that, and it's monitoring all of the windows events, too. That's causing me to exceed my license. I would like to turn off all of the default logging sources, except for the one I selected.

Reading everything I can find, I would expect that those would be listed in the Forwarder's inputs.conf, but there's nothing in there for my folder or for the Windows events. So, where are the settings that I entered using the MSI? And, how do I change them? And, how do I dial down the forwarding to just the one folder that I want?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfuente
Motivator
‎02-14-2014 06:31 AM

Those configurations must reside on an inputs.conf file, these files can be located in multiples locations:

etc/system/local and default
etc/any app/local and default
Users folders...

Anyway if you are not able to found it, you can use this command:

splunk cmd btool inputs list --debug

regards

View solution in original post

Reply
Solved! Jump to solution
Solution

gfuente
Motivator
‎02-14-2014 06:31 AM

Those configurations must reside on an inputs.conf file, these files can be located in multiples locations:

etc/system/local and default
etc/any app/local and default
Users folders...

Anyway if you are not able to found it, you can use this command:

splunk cmd btool inputs list --debug

regards

Reply
Solved! Jump to solution

ajmorris
Engager
‎02-14-2014 08:14 AM

Wow, that was exactly what I needed. It took me a minute to figure out that I need to run that at an admin command prompt, though. The event log monitors were defined in:
\etc\apps\Splunk_TA_windows\default\inputs.conf
Now that I see the TA folder, I understand that it's the Windows Technology Add-On, and it all makes a lot more sense. Thanks you!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...