The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Previous Topic: Forwarder Performance | Next Topic: Creating summary index using Collect Does not work?
Posts 1–4 of 4
Hello,
I want to deploy Splunk to many server with LightForwarder enabled, but forwarding only Windows Security Event Log. From unattended configuration standpoint I got everything covered using CLI commands, but I can't figure out how to disable default indexing of Applications and System logs from CLI. Any clues?
Thanks, Marcin
ok, I can do that by using batch file with following:
echo [default] > "c:\program files\splunk\etc\system\local\inputs.conf"
echo host = %COMPUTERNAME% >> "c:\program files\splunk\etc\system\local\inputs.conf"
echo. >> "c:\program files\splunk\etc\system\local\inputs.conf"
echo [WinEventLog:Security] >> "c:\program files\splunk\etc\system\local\inputs.conf"
echo disabled=0 >> "c:\program files\splunk\etc\system\local\inputs.conf"
But I was thinking about more elegant approach :)
The MSI installer has options for disabling the Windows Event Logs collection:
Use these flags to specify whether or not Splunk should index a particular Windows event log.
* WINEVENTLOGAPPCHECK=1/0, off by default
* WINEVENTLOGSECCHECK=1/0, off by default
* WINEVENTLOGSYSCHECK=1/0, off by default
* WINEVENTLOGFWDCHECK=1/0, off by default
* WINEVENTLOGSETCHECK=1/0, off by default
I would recommend something like this approach:
http://www.splunk.com/base/Deploy:SplunkForwader_for_Windows_installscript
Or using the "splunk disable input" command line functions.