Hi @gcusello
I found this post as I am trying to solve the same issue. I followed your suggestion and copied all the monitor stanzas from system\default\inputs.conf to my inputs file in system\local\inputs.conf; and inserted "disable = 1" to all of them. Then I restarted splunk.
However, network capture from my Splunk Server still showing all the log entries being forwarded.
Below is my inputs.conf file. Do you know what could be the issue?
Thanks, Billy.
[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk]
disabled = 1
index = _internal
[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\watchdog\watchdog.log*]
disabled = 1
index = _internal
[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage_summary.log]
disabled = 1
index = _telemetry
[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunk_instrumentation_cloud.log*]
disabled = 1
index = _telemetry
sourcetype = splunk_cloud_telemetry
[monitor://C:\Program Files\SplunkUniversalForwarder\etc\splunk.version]
disabled = 1
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version
[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\configuration_change.log]
disabled = 1
index = _configtracker
[WinEventLog://Security]
disabled = 0
renderXml = 1
whitelist = 4624, 4634
... View more