Re: Best Practice forward search head to indexer b...

medunmeyer · ‎11-13-2016

I am setting up distributed deployment monitor and trying to follow the Best Practices of sending the search head internal data to the indexers but using the basic recommended outputs.conf it also forwards the files in the dispatch folder to the indexer. I have very limited space for this folder on the indexer. How do you not forward the dispatch folder?

Thanks

medunmeyer · ‎12-09-2016

Thanks all - I ended up expanding the /opt partition - thanks lguinn you.

lweber · ‎11-21-2016

guessing, that the files you are referring to are the app bundles replicated to search peers... and not indexed data.

if true, you can blacklist the files you do not want to be replicated in distsearch.conf

see also: https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Distsearchconf#REPLICATION_BLACKLIST_OPTION...

hope this helps.

lguinn2 · ‎11-20-2016

outputs.conf does not control what is forwarded, only where the data is sent.
It should not be forwarding the dispatch directory. The internal logs are found in $SPLUNK_HOME/var/log/splunk

Can you post the outputs.conf and the inputs.conf that you are using?

medunmeyer · ‎11-20-2016

sorry I ment distributed monitoring console-

Best Practice forward search head to indexer but dispatch folder fills -how to not forward dispatch

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Enterprise Security Content Update (ESCU) | New Releases