Would there be any suggestions on properly forward...

kristen · ‎10-11-2022

I have configured connection between the heavy forwarder and indexer. Also I created a custom index on the indexer.

When I configure HEC on the heavy forwarder, I suppose to be able to select index created on the indexer. However, I cannot select the custom index from the heavy forwarder.

Would there be any suggestions on properly forwarding HEC logs from heavy forwarder to indexer? Thank you.

gcusello · ‎10-11-2022

Hi @kristen,

yes it's correct, from the GUi of an heavy Forwarder isn't possible to address a remote index.

You have two solutions:

after the HEC configuration, manually add the index definition in the inputs.conf (this requires Splunk restart),
create a local index with the same name of the remote one, only to have it in the GUI list.

I hint to add this problem to Splunk Ideas (ideas.splunk.com).

Ciao.

Giuseppe

Would there be any suggestions on properly forwarding HEC logs from heavy forwarder to indexer?

configuration

troubleshooting

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?