I am setting up distributed deployment monitor and trying to follow the Best Practices of sending the search head internal data to the indexers but using the basic recommended outputs.conf it also forwards the files in the dispatch folder to the indexer. I have very limited space for this folder on the indexer. How do you not forward the dispatch folder?
Thanks
Thanks all - I ended up expanding the /opt partition - thanks lguinn you.
guessing, that the files you are referring to are the app bundles replicated to search peers... and not indexed data.
if true, you can blacklist the files you do not want to be replicated in distsearch.conf
hope this helps.
outputs.conf does not control what is forwarded, only where the data is sent.
It should not be forwarding the dispatch directory. The internal logs are found in $SPLUNK_HOME/var/log/splunk
Can you post the outputs.conf and the inputs.conf that you are using?
sorry I ment distributed monitoring console-