Getting Data In

can I safely turn off modular inputs on a forwarder?

cphair
Builder

I'd like to turn off a couple modular inputs on a universal forwarder, such as WinPrintMon. Two questions:
1) If there are no inputs.conf settings involving WinPrintMon other than the stanza definition in etc/system/default, does that mean it's not in use? Or is the input doing secret hidden things behind the scenes that might break if I turned it off?
2) If I didn't have access to the forwarder conf files, would there be a way to tell from the search interface whether a particular piece of data was sent via one of these inputs?

0 Karma
1 Solution

inventsekar
Ultra Champion

do you get results from these search queries -

sourcetype=WinPrintMon type=PrintJob operation=add
or simply
sourcetype=WinPrintMon

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

The best way to proceed, without access the target system is using a Deployment Server if you have, so I suggest to configure it just to manage these situations.

Every way, if the problem is to exclude these logs from your results you can insert in your searches sourcetype!=WinPrintMon.

If the problem is to filer them to not overload your license, the best way is to filter them at the source in inputs.conf, or into the Indexer before index time:

in your app's props.conf

[WinPrintMon]
TRANSFORMS-WinPrintMon=set_nullqueue,set_WinPrintMon

and in your app's transforms.conf

[set_WinPrintMon]
REGEX=WinPrintMon
DEST_KEY=_MetaData:Index
FORMAT=your_index

[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

I haven't a system to test WinPrintMon regex, so check it before.
Beware to the order in props.conf, if you change it, it doesn't work (in transforms.conf it isn't relevant).

Bye.
Giuseppe

0 Karma

inventsekar
Ultra Champion

do you get results from these search queries -

sourcetype=WinPrintMon type=PrintJob operation=add
or simply
sourcetype=WinPrintMon
0 Karma

cphair
Builder

No results. So they'd all come in with the sourcetype of the monitor? And there's nothing else it would be doing?

0 Karma

inventsekar
Ultra Champion

mostly they would come with default sourcetype.
ya, as you said, If there are no inputs.conf settings involving WinPrintMon, we can say that printer monitoring is not configured.

Examples of Windows host monitoring configurations
Following are some examples of how to use the Windows host monitoring configuration attributes in inputs.conf.

# Monitor printers on system.
[WinPrintMon://printer]
type = printer
baseline = 0

 #Monitor print jobs.
[WinPrintMon://job]
type = job
baseline = 1

# Monitor printer driver installation and removal.
[WinPrintMon://driver]
type = driver
baseline = 1

# Monitor printer ports.
[WinPrintMon://port]
type = port
baseline = 1

http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowsprinterinformation

0 Karma

cphair
Builder

Thanks for confirming.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...