Getting Data In

Universal Forwarder question

jasonwilliams14
New Member

Hopefully, a easy question here.
Just setup a universal forwarder on My linux machine. I installed it just fine and did a test by specifying a monitor of /var/log/secure, just to ensure everything works.

Well it does perfectly.

My question now is, how do I delete that monitor? I was looking at the inputs.conf and outputs.conf in 'local' (says to leave the defaults alone), but I dont see anything in there.

Am I missing something?
Also, is there a way to list the monitors you have setup using the CLI?

Thx

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

For listing inputs from the CLI, you can use this:

./bin/splunk cmd btool inputs list

or this:

./bin/splunk list monitor

For deleting a monitor, either delete or comment out the stanza from inputs.conf (if the file in local says to be left alone, someone probably copied over the file from defaults including that notice) or use the CLI:

./bin/splunk remove monitor "path goes here"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...