All Apps and Add-ons

perfmon:sqlserver set to disabled, still receiving data on the Indexer ?

damode
Motivator

I have set Universal.Forwarder on SQL Server to forward all data to heavy forwarder. However, in the search results of the Indexer, for the indexed data from SQL, it shows the "Splunk Server" field as the Indexer and NOT the H.F. I feel, it should show the Splunk server field as Heavy Forwarder as thats the splunk server where the data is coming from. Please let me know if my understanding is wrong.
Could this be because, I have set forwarding defaults in Heavy forwarder, to NOT store local data ?

Second imp question is, I have installed SQL server add-on on the Indexer and the H.F, where all the inputs are set to disabled = 1 for the perfmon:sqlserver data in the inputs.conf file of the local folder of the add-on, however, despite of that I am still getting huge amount of Perfmon:sqlserver data on the indexer.

Can someone please help me in figuring out where i can make the change in stopping this huge amount of unnecessary data ?

Thanks.

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

The splunk server field is where the data was indexed, it does not matter which server forwarded the data.
The host field is the field you may want to look at, that defaults to the server forwarding the data although it can be overridden to something else if required.

For your second question, if the heavy forwarder is collecting the perfmon:sqlserver data, have you restarted it since changing the settings?
If you have, try running (on the heavy forwarder):

splunk btool inputs list --debug

To confirm the input is disabled as you expect...

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/

View solution in original post

gjanders
SplunkTrust
SplunkTrust

The splunk server field is where the data was indexed, it does not matter which server forwarded the data.
The host field is the field you may want to look at, that defaults to the server forwarding the data although it can be overridden to something else if required.

For your second question, if the heavy forwarder is collecting the perfmon:sqlserver data, have you restarted it since changing the settings?
If you have, try running (on the heavy forwarder):

splunk btool inputs list --debug

To confirm the input is disabled as you expect...

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/

View solution in original post

damode
Motivator

Hi @garethatiag,

Thanks alot for your valuable input. I checked the inputs using the btool after restarting H.F, but that still didnt help..

I re-read the splunk instructions for this add-on and noticed that this add-on is not required on Indexer or H.F because this add-on does not include any index-time operations. Maybe thats why disabling inputs in Indexer or Heavy forwarder didnt make any difference.

Does that mean, I have to disable the inputs for this add-on in the Universal Forwarder ?

0 Karma

gjanders
SplunkTrust
SplunkTrust

You will need to disable the setting on the forwarder that is gathering these logs, if that's the universal forwarder then you can disable it there...

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma

damode
Motivator

Its the Universal Forwarder installed on the windows host that is gathering logs then forwarding to the heavy forwarder

0 Karma

gjanders
SplunkTrust
SplunkTrust

Ok then the universal forwarders input for this must be disabled...

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!