I'm running Splunk 6.1 as my indexer. I have a 6.1 universal forwarder setup on a windows box and I'm trying to filter what event logs get sent back to the indexer.
I added this stanza to inputs.conf in C:\Program Files\SplunkUniversalForwarder\etc\system\local:
disabled = 0
blacklist = 5145,5156
I then restarted the forwarder service and unfortunately I am still seeing 5145s and 5156s in my indexer. Am I missing something? I looked at splunkd.log but it didn't provide any insight on the issue.
Take a look at this excellent blog post:
This blog is a good read. Other references
They may have some extra filters, so adjust per your need.