Hi,
I'm using Splunk6.0.
I tried to disable a data input monitor by CLI (/opt/splunk/bin/splunk edit monitor '/var/log/messages' -disable 1 -auth admin:password). Display shows "Modified monitor of '/var/log/messages'", however it seems that it is not changed.
(I referred to http://docs.splunk.com/Documentation/Splunk/6.0/Data/MonitorfilesanddirectoriesusingtheCLI)
Is it impossible to disable a data input by CLI?
Thanks
It seems fixed in 6.0.1
`
cd /opt/splunk/bin
./splunk version
Splunk 6.0.1 (build 189883)
./splunk add monitor "/var/log/feed/*.log" -auth admin:changeme
cat ../splunk/etc/apps/search/local/inputs.conf
[monitor:///var/log/feed/*.log]
./splunk edit monitor "/var/log/feed/*.log" -disabled true -auth admin:changeme
cat ../splunk/etc/apps/search/local/inputs.conf
[monitor:///var/log/feed/*.log]
disabled = true
`
It seems fixed in 6.0.1
`
cd /opt/splunk/bin
./splunk version
Splunk 6.0.1 (build 189883)
./splunk add monitor "/var/log/feed/*.log" -auth admin:changeme
cat ../splunk/etc/apps/search/local/inputs.conf
[monitor:///var/log/feed/*.log]
./splunk edit monitor "/var/log/feed/*.log" -disabled true -auth admin:changeme
cat ../splunk/etc/apps/search/local/inputs.conf
[monitor:///var/log/feed/*.log]
disabled = true
`
Hi,
it seems that it's really not pissible to do that on CLI.
I have tried on a Universal Forwarder with:
./splunk edit monitor /var/SP/MyFiles/ -disabled true
./splunk edit monitor /var/SP/MyFiles/ -disabled 1
But both without the inteded result.
Note that the parameter should be disabled with a tailing "d"....
However, the parameter "disabled" is not listed in the docs, so maybe this is worth for an enhancement request.
Cheers
Norbert
Hi,
maybe you want to let us know which command you have used to change exactly which file? Then we all could learn something...
Thanks
Sorry, I made a mistake. Other app's file was changed.
I tried it again, and I could change monitor status by CLI on a Splunk Server.
Thanks.