Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Are any default apps in universal forwarder unnecessary?

hectorvp
Communicator
‎09-25-2020 06:29 AM

I just installed universal forwarder,

And was deploying my first app using DS, I came accros few apps in place prior to what I configure on UF.

Path: \etc\apps\ 

Apps found are:

introspection_generator_addon

learned

searched

splunk_httpinput

splunk_internal_metrics

SplunkUniversalForwarder

 

Is any them unnecessary and can I remove?

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-25-2020 06:46 AM

Any apps already in place before the UF receives anything from the DS is standard Splunk and shouldn't be touched.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-25-2020 06:46 AM

Any apps already in place before the UF receives anything from the DS is standard Splunk and shouldn't be touched.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Jagadeesh2022
Path Finder
‎12-22-2022 04:18 AM

Hi @richgalloway 

In my case, more volume of data produced from Learned app. Is there any possibility to disable this app: learned? 

If we can't disable how to stop generate logs from this app: learned ?

Your response is much appreciated. 

Regards,

Jagadeesh

@gcusello @ITWhisperer 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-22-2022 06:03 AM

This question is more than 2 years old with an accepted answer.  You should have posted a new question.

The learned app is invoked when data is received without a sourcetype.  To avoid using the app, ensure all data ingested by Splunk has a sourcetype associated with it and that sourcetype is configured in props.conf.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Jagadeesh2022
Path Finder
‎12-22-2022 10:27 AM

@richgalloway 

Sorry to updated in the older question.  

Thanks for your response.  My last question. If we just mention sourcetype in input.conf  is not enough?

I should to mention the same sourcetype again in props.conf ?  

Thanks in advance. 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-22-2022 12:14 PM

If a sourcetype is not in props.conf then it doesn't exist.  Mentioning it in inputs.conf alone is not enough.  Props.conf is where the properties of the sourcetype are specified.  Without them, Splunk has to guess about the sourcetype and often guesses wrong.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...