All Apps and Add-ons

Stream App - Limit the protocols being indexed from the forwarder/server, not the search head

Path Finder

Howdy,

I want to monitor NFS wire data using the stream app. Right now, I can enable NFS on the search head and it does obtain NFS for that specific server, as well as every other server I use NFS on. I don't want this. I want to limit what servers actually send their NFS, FTP, and whatever else to the indexers. I'm seeing this may be possible in the streamfwd.xml, but I'm not comprehending the documentation for that file properly as everything I try is not working. There are not enough examples in the documentation....

Can someone point me to the right configuration to use? I wonder is the inputs.conf can be used here...

Edit: I'm wondering now if it's actually a matter of disabling everything but what I want on all hosts in the network that use the stream app. I can puppetize this, but I'll wait to hear back from someone here about how best to achieve this.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

It is not currently possible to change the protocols captured by specific servers (other than perhaps installing a separate instance of App for Stream and pointing the inputs.conf parameter to it). This is is a commonly requested feature, and high on our roadmap.

View solution in original post

Splunk Employee
Splunk Employee

It is not currently possible to change the protocols captured by specific servers (other than perhaps installing a separate instance of App for Stream and pointing the inputs.conf parameter to it). This is is a commonly requested feature, and high on our roadmap.

View solution in original post

Path Finder

Good to know. When would your estimate be on the release of this feature? Maybe this year? Next?

0 Karma

Splunk Employee
Splunk Employee

We can't ever commit to anything, but it's slated for our next release.

0 Karma