Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to disable forwarding from a particular Deployment Client from within the Forwarder Management app or if not that then on the CLI?

wrangler2x
Motivator
‎01-21-2015 03:42 PM

I had an exchange server spew 8 gigabytes of logs at me in an hour (it usually sends about a gig a day). As my license is only 10 gigabytes/day, this is not good. I am using Forwarder Management (just started using it after upgrading to 6.1 a while back). I notice one of the settings for the app is 'enable app'. If you un-check this does it cause that app to be disabled on the deployment clients?

But what I'd really like to do is to be able to disable taking logs from one particular host. If not in Forwarder Management then is there another way on the indexer to temporarily ignore the logs, or to disable the particular Deployment Client? I suppose I could comment-out the inputs.conf stanza in the Deployment App, but when that app is part of a serverclass that has multiple Deployment Clients associated with it that hoses everyone else.

Tags (2)
0 Karma
Reply

thomrs
Communicator
‎01-21-2015 04:10 PM

You could use whitelist/blacklist in your serverclass.conf. Blacklist everything and add the hosts you want to forward. When you need to pulls server remove it from the whitelist and reload deploy server. The app will be removed from the host and forwardig stops for that app, reverse the process to push it back out.

Note the GUI dies not support this so it will go to read only mode, worth the flexibility to me.

You could get creative and if you see the flood of logs coming have an alert triggers script to do the above when conditions are right.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverclassconf

0 Karma
Reply

the_wolverine
Champion
‎01-21-2015 03:48 PM

I don't think you have this sort of control from the Deployment app but you can block this forwarder at the indexer level in inputs.conf.

http://answers.splunk.com/answers/131270/any-way-to-selectively-nullqueue-data-from-heavy-forwarder....

This method should work for both heavy and light (Universal) forwarded events.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...