Hi I've installed the splunk indexer on linux machine and universal forwader on a windows machine.While installing universal forwader - at the Installation wizard I gave some basic inputs to enable like CPU load,disk space and system log in windows but I dont want to monitor this any more so I need to remove this info.I have cleared the inputs.conf under $SPLUNKHOME/etc/apps/MSICreated/inputs.conf and $SPLUNKHOME/etc/system/local/inputs.conf but still the inputs ' CPU load,disk space and system log' is shown in splunk web console How do I remove the above inputs from indexing please? Thanks ... View more

Hi I've few indexing issues here,I have three to five entries in the inputs.conf of a universal forwader in a windows machine and my splunk indexer is in linux machine so now the forwarders is forwarding the data to indexer but later I thought of removing the existing entries in inputs.conf and add different input there however when I look into the splunkweb console I can still see the my old logs(the log location which I gave in inputs.conf at first) along with new log files.I thought if we delete the log location(input) from inputs.conf splunk will stop indexing and will not be shown in splunk web console? ... View more

Hi We ran out of disk space in the splunk indexer and I cleaned the data using the below methods source="E:\Application1\logs\*" | delete which deleted all the logs from splunk web console but still the disk space wasn't reduced so I deleted all the index using CLI command './splunk clean eventdata' which reduced the disk space. After restarting the server I cant see my old logs in the splunk web but the /opt mount point is increasing I dont know what is being indexed as of now as I can't see anything in splunkweb but my input.confs file in the universal forwarder has got E:\Application1\logs\ entry How to find out what is indexing? If I need to delete something permanently which I no longer need to be monitored where should I make the change(deleteing the in entry in input.confs is not working)? How to view the old log files back again in splunkweb? ... View more

Hi I've installed splunk indexer on a linux server and universal splunk forwarder on a windows machine,while installing the universal forwader I enabled few logs for forwarding such as 1 WinEventLog:Application 2 WinEventLog:System 3 Perfmon:CPU Load 4 Perfmon:Available Memory 5 Perfmon:Free Disk Space And this is working as I see this the above splunk indexer ,NOw I want to remove this one and point my application logs in the universal forwader so that I can view the application logs in indexer How to do this? I tried to do this by editing the input.conf file at /splunkhome/etc/system/local - but no luck - also I need to give new inputs such as my application logs - where do I add this in universal forwader?I'm kind of confused between inputs.conf and output.conf- Can any one please help ... View more

Hello I want to configure SSL between forwarder and receiver .I'm following the steps given in below wiki.If you see,in step3 we are copying the server certificate to the forwarders where we need to configure SSL but the password for the certificate is given as 'sslPassword = default' http://wiki.splunk.com/Community:Splunk2Splunk_SSL_3rdPartyCA Does anyone know which password is this? Is it the same password that we used to create the private key earlier in step 2 or is there something called as 'default' password for forwarders? I'm confused because in step2 it is given as "password = server_privkey_password " and step3 as default ... View more

Hi I'm new to splunk ,thats why such a basic question what is the use of deployment server in a splunk environment.when we should consider to set up a deployment server and client? All I know is to setup a full splunk instance- indexer/header at one machine and forwader at other machine where we need to monitor logs but what is the role of deployment server and client? Any help is highly appreciated Thanks ... View more

Hello We are going to install splunk on our WAS environment.We have a separate server for indexer and on WAS server we'll install universal forwarder so my question is under what user-id splunk should be installed? both splunk indexer and universal forwarder has to be installed under same user id?(both will be running on different machines) ... View more