Deployment Architecture

How do I disable local indexing and forward data?

ddrillic
Ultra Champion

I understand that the best practice is to disable local indexing and forward data from the search heads, cluster master, the deployment servers, etc to the indexers. The syntax for outputs.confI see is -

[indexAndForward]
index = false

[tcpout]
defaultGroup = <group name>
forwardedindex.filter.disable = true
indexAndForward = false

[tcpout:<group name>]
server=<list of indexers and ports>

Not sure how to read it because we have the indexAndForward as a stanza and also within the tcpout stanza as indexAndForward = false.

So, we don't want to index but we want to forward. The forward part is done, I assume, via - forwardedindex.filter.disable = true...

Tags (1)
0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @ddrillic,

While looking at spec file of outputs.conf, if you define index = false in [indexAndForward] it supersedes value defined in [tcpout] stanza.

# If the [tcpout] stanza configures the indexAndForward setting, the value
# of that setting overrides the default value of 'index'. However, if you
# set 'index' in the [indexAndForward] stanza described below, it
# supersedes any value set in [tcpout].

When you set forwardedindex.filter.disable = true, splunk do not filter indexes based on forwardedindex.<n>.whitelist and forwardedindex.<n>.blacklist parameters which means every data will be indexed.

By default in outputs.conf below configuration is present

forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)
forwardedindex.filter.disable = false

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Hi @ddrillic,

While looking at spec file of outputs.conf, if you define index = false in [indexAndForward] it supersedes value defined in [tcpout] stanza.

# If the [tcpout] stanza configures the indexAndForward setting, the value
# of that setting overrides the default value of 'index'. However, if you
# set 'index' in the [indexAndForward] stanza described below, it
# supersedes any value set in [tcpout].

When you set forwardedindex.filter.disable = true, splunk do not filter indexes based on forwardedindex.<n>.whitelist and forwardedindex.<n>.blacklist parameters which means every data will be indexed.

By default in outputs.conf below configuration is present

forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)
forwardedindex.filter.disable = false

ddrillic
Ultra Champion

Gorgeous as usual @harsmarvania57.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

You're welcome

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...