topic Re: Why is my Splunk Heavy Forwarder still indexing events in Getting Data In

Why is my Splunk Heavy Forwarder still indexing events

ic_101 — Fri, 13 Feb 2015 15:26:38 GMT

Hi,

I have set up a Splunk Heavy Forwarder (v6.1.1) that collects events from a number of Windows and Linux servers and parses the data before forwarding it on. My understanding is that the forwarder should not index the data by default, but I can see all the events being forwarded in the main index of the heavy forwarder.

I have my own props.conf and transform.conf in ..etc-system-local that obfuscates some data before forwarding. Outputs is configured for syslog UDP port 514.

Any ideas why this may be happening, and how I can stop it indexing? I've tried setting indexAndForward=false in outputs.conf.

Re: Why is my Splunk Heavy Forwarder still indexing events

bwooden — Fri, 13 Feb 2015 17:12:02 GMT

It sounds like that setting is not being honored. Did you re-start Splunk after editing that file? What are the results of

/opt/splunk/bin/splunk btool --debug outputs list | grep indexAndForward

Re: Why is my Splunk Heavy Forwarder still indexing events

ic_101 — Fri, 13 Feb 2015 17:33:54 GMT

Splunk was re-started after editing the file.

Results of command show indexAndForward = false in local and default instances of output.conf.

Re: Why is my Splunk Heavy Forwarder still indexing events

phoffman_splunk — Fri, 13 Feb 2015 18:23:11 GMT

To clarify; disabling the indexing globally (all data), did you put indexAndForward=false under the [tcpout] stanza?

so your outputs.conf has:
[tcpout]
indexAndForward = false

Re: Why is my Splunk Heavy Forwarder still indexing events

ic_101 — Fri, 13 Feb 2015 18:38:14 GMT

I put it under the [syslog] stanza to try and set it globally. We are using syslog forwarding over UDP.

Re: Why is my Splunk Heavy Forwarder still indexing events

bwooden — Fri, 13 Feb 2015 18:43:53 GMT

Per phoffman_splunk, it must be defined globally. From the spec file:

* This attribute is available only at the top level [tcpout] stanza. It cannot be overridden in a target group.

Re: Why is my Splunk Heavy Forwarder still indexing events

ic_101 — Mon, 16 Feb 2015 14:24:06 GMT

It is defined globally in the defaults outputs.conf. However this was not being honoured for some reason so I added it to the local outputs.conf to see if it would pick that up instead. I tried setting it at the top level as you suggest, but unfortunately it still appears to be indexing.

Is there a way to verify if the installation has been set up as a Forwarder only, i.e. it shouldn't need to index? Could this be the problem?