I have been trying to disable the disable the default scripted inputs from a Windows Universal Forward (version 6.2.1 and version 6.1.3) running on a Windows 2008 R2 server but the scripts do not appear to respect the "disabled=" parameter in inputs.conf. The reason for trying to disable the scripted inputs is twofold: first, we are not collecting the data; and second, when they execute they consume 100% CPU, albeit very briefly, but there have been concerns from the server owners about the impact of the Splunk Universal Forwarder running on the server as they see the higher CPU usage attributed to the UF.
Specifically, I've taken the stanzas from $SPLUNK_HOME/etc/system/default/inputs.conf (see below) and copied them into $SPLUNK_HOME/etc/system/local/inputs.conf with the scripted inputs (admin, MonitorNoHandle, WinNetMon, WinPrintMon, WinRegMon, and perfmon) all getting "disabled=1" added to their stanzas. However, the scripts still execute every 60 seconds and can be seen in Task Manager. Is this behavior by design or a bug?
I have found a workaround by changing the "interval=xx" parameter to just "interval=". With that parameter set to blank the scripts execute one time when Splunk UF starts/restarts but not again after the first time.
Is there a better way to disabled these scripted inputs?
$SPLUNK_HOME/etc/system/default/inputs.conf
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 10000000
source = wmi
sourcetype = wmi
queue = winparsing
persistentQueueSize=200MB
# default single instance modular input restarts
[admon]
interval=60
baseline=0
[MonitorNoHandle]
interval=60
[WinEventLog]
interval=60
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=
[WinNetMon]
interval=60
[WinPrintMon]
interval=60
[WinRegMon]
interval=60
baseline=0
[perfmon]
interval=300
$SPLUNK_HOME/etc/system/local/inputs.conf
[default]
host = WINDOWS_HOST
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
evt_resolve_ad_obj = 1
start_from = oldest
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
evt_resolve_ad_obj = 1
start_from = oldest
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
evt_resolve_ad_obj = 1
start_from = oldest
# default single instance modular input restarts
[admon]
interval=60
baseline=0
disabled=1
[MonitorNoHandle]
interval=60
disabled=1
[WinEventLog]
interval=60
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=
[WinNetMon]
interval=60
disabled=1
[WinPrintMon]
interval=60
disabled=1
[WinRegMon]
interval=60
baseline=0
disabled=1
[perfmon]
interval=300
disabled=1
... View more