Solved: Splunk Events still coming through despite setting...

cchitten · ‎02-23-2015

I am still receiving and indexing events from my splunk forwarder despite setting "Disabled=1" for everything in inputs.conf.
I have also restarted my splunk indexer instance. Nothing has stopped them.

How often does splunk load settings from the .conf files?

cchitten · ‎02-23-2015

You have to manually restart the splunk forwarder. To do this go to the device the forwarder is installed on and run the splunk.exe from the command prompt with the argument restart.

Example:
C:splunkforwardersplunk.exe restart

View solution in original post

cchitten · ‎02-23-2015

You have to manually restart the splunk forwarder. To do this go to the device the forwarder is installed on and run the splunk.exe from the command prompt with the argument restart.

Example:
C:splunkforwardersplunk.exe restart

satishsdange · ‎02-23-2015

could you please provide more information e.g. inputs.conf, sample events..that would really help in troubleshooting

cchitten · ‎02-23-2015

Example event:

02/23/2015 04:26:44 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Microsoft Windows security auditing.
ComputerName=*********
TaskCategory=Microsoft Windows security auditing.
OpCode=Microsoft Windows security auditing.
RecordNumber=736244
Keywords=Microsoft Windows security auditing.
Message=Microsoft Windows security auditing.

inputs.conf stanza:

[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 1
index = forwardedeventlogs
start_from = oldest
renderXml=1

Splunk Events still coming through despite setting "Disabled=1"

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases