Hello,
I'd like to disable all the input on the Splunk_TA_microsoft_ad, is there a handy way to do this?
for example a local inputs.conf with
[perfmon:*]
disabled = 1
[powershell:*]
disabled = 1
[script:]
disabled = 1
[WinEventLog:]
disabled = 1
will do the trick?
Hi sassens,
if the stanzas are predefined by the app and disabled is 0 on default, changing them to 1 will do the trick.
Hi sassens,
if the stanzas are predefined by the app and disabled is 0 on default, changing them to 1 will do the trick.
Hi,
ok regarding the stanzas they are more like
[WinEventLog://Directory Service]
[powershell://AD-Health]
and so on.
I'm not sure about the * and I don't have any server to test so if you can confirm the syntax?
thanks
The correct syntax in that regard would be
[WinEventLog://*]
Don't forget the two forward-slashes before putting the asteriks for all