When configuring data inputs on a heavy forwarder via the GUI (HEC, for instance), the destination index is requested but it has to be selected from a list which obviously is not coming from our indexers because it contains only default indexes.
Should we add the indexers as search peers for this list to be correctly populated ? Is it best practice or is there any drawback doing so ? Also do you add the heavy forwarders as search heads in the monitoring console ?
As @gcusello said if you want to select index from list then you must add those to HF. As you have configured index forwarding (at least you should) there is no real harm to copy same indexes.conf from IDX to HF. Another option is use directly those config files to add hec information or use cli for that.
r. Ismo
Yes, you don't see the indexes when you go to Settings > Data Inputs (in the GUI) and configure any of the data inputs on this page (HTTP event collector, for instance).
My question was actually if there was a possibility to make them visible in the list (because contrary to the sourcetype, you can not type anything, you have to select from a fixed list).
Hi @yoho,
the only way to see in the list is to create indexes on HFs but it's unuseful!
Ciao.
Giuseppe
As @gcusello said if you want to select index from list then you must add those to HF. As you have configured index forwarding (at least you should) there is no real harm to copy same indexes.conf from IDX to HF. Another option is use directly those config files to add hec information or use cli for that.
r. Ismo
Ok, thanks for the replies. I find it stupid the choice of index is not:
Hi @yoho,
good for you, see next time!
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
Hi @yoho,
you need to add Indexes to the HF only if you want to sore a local copy of data otherwise you don't need it.
Obviously you have to know the names of the indexes to send data that are on Indexers because you don't see them in HFs.
Ciao.
Giuseppe