https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483058#M9445 <P>Set index = false for indexAndForward in outputs.conf.</P> <PRE><CODE>[indexAndForward] index=false </CODE></PRE> Wed, 26 Feb 2020 14:49:14 GMT manjunathmeti 2020-02-26T14:49:14Z https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483057#M9444 <H1>outputs.conf</H1> <P>[syslog:syslogGroup]<BR /> server = x.x.x.x:514</P> <H1>props.conf</H1> <P>[helloworld]<BR /> TRANSFORMS-rsyslog = syslogRouting</P> <H1>transforms.conf</H1> <P>[syslogRouting]<BR /> REGEX = .<BR /> DEST_KEY = _SYSLOG_ROUTING<BR /> FORMAT = syslogGroup</P> <P>This config is applied on an indexer (many tutorials use a heavy forwarder which by defaults does not index data). This works perfectly in forwarding rawdata in syslog to another system however rawdata is also being indexed. Is there a way to prevent indexing from happening?</P> <P>I've tried adding a nullQueue stanza to props.conf without luck.</P> Wed, 30 Sep 2020 04:24:55 GMT https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483057#M9444 bvv 2020-09-30T04:24:55Z https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483058#M9445 <P>Set index = false for indexAndForward in outputs.conf.</P> <PRE><CODE>[indexAndForward] index=false </CODE></PRE> Wed, 26 Feb 2020 14:49:14 GMT https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483058#M9445 manjunathmeti 2020-02-26T14:49:14Z https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483059#M9446 <P>This will stop not just [helloworld] but all other indexes from indexing.</P> <P>The splunk instance itself is an Indexer and a Search Head at the same time.</P> Thu, 27 Feb 2020 00:56:06 GMT https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483059#M9446 bvv 2020-02-27T00:56:06Z https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483060#M9447 <P>Is the data already cooked when it hits the indexer? / What's forwarding the data to the indexer?</P> Thu, 27 Feb 2020 01:04:17 GMT https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483060#M9447 masonmorales 2020-02-27T01:04:17Z https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483061#M9448 <P>Data is not not cooked<BR /> UF--&gt;This splunk instance (both Indexer and Search Head role)</P> Thu, 27 Feb 2020 01:12:17 GMT https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483061#M9448 bvv 2020-02-27T01:12:17Z https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483062#M9449 <P>You can try this. Set selectiveIndexing = true. And remove attribute <STRONG>_INDEX_AND_FORWARD_ROUTING</STRONG> if added under monitor stanza in inputs.conf. This makes forwarder to not index this data.</P> <PRE><CODE>[indexAndForward] index=true selectiveIndexing = true </CODE></PRE> Wed, 30 Sep 2020 04:25:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483062#M9449 manjunathmeti 2020-09-30T04:25:13Z https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483063#M9450 <P>This stopped indexing on all indexes as well..<BR /> I might consider setting up a HF to pick up data from UF instead of sending directly to Indexer.</P> Thu, 27 Feb 2020 06:56:48 GMT https://community.splunk.com/t5/Splunk-Enterprise/Prevent-Indexer-from-indexing-whilst-forwarding-syslog-to-a-3rd/m-p/483063#M9450 bvv 2020-02-27T06:56:48Z