Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

can I safely turn off modular inputs on a forwarder?

cphair
Builder
‎10-19-2016 05:13 AM

I'd like to turn off a couple modular inputs on a universal forwarder, such as WinPrintMon. Two questions:
1) If there are no inputs.conf settings involving WinPrintMon other than the stanza definition in etc/system/default, does that mean it's not in use? Or is the input doing secret hidden things behind the scenes that might break if I turned it off?
2) If I didn't have access to the forwarder conf files, would there be a way to tell from the search interface whether a particular piece of data was sent via one of these inputs?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-19-2016 05:27 AM

do you get results from these search queries - 

sourcetype=WinPrintMon type=PrintJob operation=add
or simply
sourcetype=WinPrintMon

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-19-2016 05:45 AM

The best way to proceed, without access the target system is using a Deployment Server if you have, so I suggest to configure it just to manage these situations.

Every way, if the problem is to exclude these logs from your results you can insert in your searches sourcetype!=WinPrintMon.

If the problem is to filer them to not overload your license, the best way is to filter them at the source in inputs.conf, or into the Indexer before index time:

in your app's props.conf

[WinPrintMon]
TRANSFORMS-WinPrintMon=set_nullqueue,set_WinPrintMon

and in your app's transforms.conf

[set_WinPrintMon]
REGEX=WinPrintMon
DEST_KEY=_MetaData:Index
FORMAT=your_index

[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

I haven't a system to test WinPrintMon regex, so check it before.
Beware to the order in props.conf, if you change it, it doesn't work (in transforms.conf it isn't relevant).

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-19-2016 05:27 AM

do you get results from these search queries - 

sourcetype=WinPrintMon type=PrintJob operation=add
or simply
sourcetype=WinPrintMon
0 Karma
Reply
Solved! Jump to solution

cphair
Builder
‎10-19-2016 05:30 AM

No results. So they'd all come in with the sourcetype of the monitor? And there's nothing else it would be doing?

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-19-2016 05:41 AM

mostly they would come with default sourcetype.
ya, as you said, If there are no inputs.conf settings involving WinPrintMon, we can say that printer monitoring is not configured.

Examples of Windows host monitoring configurations
Following are some examples of how to use the Windows host monitoring configuration attributes in inputs.conf.

# Monitor printers on system.
[WinPrintMon://printer]
type = printer
baseline = 0

 #Monitor print jobs.
[WinPrintMon://job]
type = job
baseline = 1

# Monitor printer driver installation and removal.
[WinPrintMon://driver]
type = driver
baseline = 1

# Monitor printer ports.
[WinPrintMon://port]
type = port
baseline = 1

http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowsprinterinformation

0 Karma
Reply
Solved! Jump to solution

cphair
Builder
‎10-19-2016 06:35 AM

Thanks for confirming.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...