Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How do I disable local indexing and forward data?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand that the best practice is to disable local indexing and forward data from the search heads, cluster master, the deployment servers, etc to the indexers. The syntax for outputs.confI see is -
[indexAndForward]
index = false
[tcpout]
defaultGroup = <group name>
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:<group name>]
server=<list of indexers and ports>
Not sure how to read it because we have the indexAndForward as a stanza and also within the tcpout stanza as indexAndForward = false.
So, we don't want to index but we want to forward. The forward part is done, I assume, via - forwardedindex.filter.disable = true...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ddrillic,
While looking at spec file of outputs.conf, if you define index = false in [indexAndForward] it supersedes value defined in [tcpout] stanza.
# If the [tcpout] stanza configures the indexAndForward setting, the value
# of that setting overrides the default value of 'index'. However, if you
# set 'index' in the [indexAndForward] stanza described below, it
# supersedes any value set in [tcpout].
When you set forwardedindex.filter.disable = true, splunk do not filter indexes based on forwardedindex.<n>.whitelist and forwardedindex.<n>.blacklist parameters which means every data will be indexed.
By default in outputs.conf below configuration is present
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)
forwardedindex.filter.disable = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ddrillic,
While looking at spec file of outputs.conf, if you define index = false in [indexAndForward] it supersedes value defined in [tcpout] stanza.
# If the [tcpout] stanza configures the indexAndForward setting, the value
# of that setting overrides the default value of 'index'. However, if you
# set 'index' in the [indexAndForward] stanza described below, it
# supersedes any value set in [tcpout].
When you set forwardedindex.filter.disable = true, splunk do not filter indexes based on forwardedindex.<n>.whitelist and forwardedindex.<n>.blacklist parameters which means every data will be indexed.
By default in outputs.conf below configuration is present
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)
forwardedindex.filter.disable = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gorgeous as usual @harsmarvania57.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome
Accelerating Observability as Code with the Splunk AI Assistant
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
