I'd like to turn off a couple modular inputs on a universal forwarder, such as WinPrintMon. Two questions:
1) If there are no inputs.conf settings involving WinPrintMon other than the stanza definition in etc/system/default, does that mean it's not in use? Or is the input doing secret hidden things behind the scenes that might break if I turned it off?
2) If I didn't have access to the forwarder conf files, would there be a way to tell from the search interface whether a particular piece of data was sent via one of these inputs?
do you get results from these search queries -
sourcetype=WinPrintMon type=PrintJob operation=add
or simply
sourcetype=WinPrintMon
The best way to proceed, without access the target system is using a Deployment Server if you have, so I suggest to configure it just to manage these situations.
Every way, if the problem is to exclude these logs from your results you can insert in your searches sourcetype!=WinPrintMon
.
If the problem is to filer them to not overload your license, the best way is to filter them at the source in inputs.conf, or into the Indexer before index time:
in your app's props.conf
[WinPrintMon]
TRANSFORMS-WinPrintMon=set_nullqueue,set_WinPrintMon
and in your app's transforms.conf
[set_WinPrintMon]
REGEX=WinPrintMon
DEST_KEY=_MetaData:Index
FORMAT=your_index
[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
I haven't a system to test WinPrintMon regex, so check it before.
Beware to the order in props.conf, if you change it, it doesn't work (in transforms.conf it isn't relevant).
Bye.
Giuseppe
do you get results from these search queries -
sourcetype=WinPrintMon type=PrintJob operation=add
or simply
sourcetype=WinPrintMon
No results. So they'd all come in with the sourcetype of the monitor? And there's nothing else it would be doing?
mostly they would come with default sourcetype.
ya, as you said, If there are no inputs.conf settings involving WinPrintMon, we can say that printer monitoring is not configured.
Examples of Windows host monitoring configurations
Following are some examples of how to use the Windows host monitoring configuration attributes in inputs.conf.
# Monitor printers on system.
[WinPrintMon://printer]
type = printer
baseline = 0
#Monitor print jobs.
[WinPrintMon://job]
type = job
baseline = 1
# Monitor printer driver installation and removal.
[WinPrintMon://driver]
type = driver
baseline = 1
# Monitor printer ports.
[WinPrintMon://port]
type = port
baseline = 1
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowsprinterinformation
Thanks for confirming.