Splunk Search

disable splunk-*.exe to further lower the foot-print

alextsui
Path Finder

After enabling the light forwarder on a Windows machine, I noticed that the splunk-regmon.exe and splunk-wmi.exe still run as processes. Since I only use the light forwarder to monitor some application log files, Is it ok to disable the splunk-regmon.exe, splunk-wmi.exe, and spunk-admon.exe by adding the following configuration to inputs.conf in C:\Program Files\Splunk\etc\system\local\

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path] disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path] disabled = 1

thanks

gkanapathy
Splunk Employee
Splunk Employee

Yes, it is perfectly okay to do this. I personally would prefer that these not be enabled by default, and I am rather surprised they are shipped in the system default inputs.conf file.

gfriedmann
Communicator

Yah, the sample_app being enabled by default is the one that bit me. Deploying 100 windows light forwarders at once resulted in my indexer being immediately splooged with 100 * 8MB of sendmail data from the sample_app maillog files.

I used the MSI flag to enable LIghtForwarder app, which disables a lot, but doesn't disable the other apps.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...