Deployment Architecture

Is there a way to disable forwarding from a particular Deployment Client from within the Forwarder Management app or if not that then on the CLI?

Motivator

I had an exchange server spew 8 gigabytes of logs at me in an hour (it usually sends about a gig a day). As my license is only 10 gigabytes/day, this is not good. I am using Forwarder Management (just started using it after upgrading to 6.1 a while back). I notice one of the settings for the app is 'enable app'. If you un-check this does it cause that app to be disabled on the deployment clients?

But what I'd really like to do is to be able to disable taking logs from one particular host. If not in Forwarder Management then is there another way on the indexer to temporarily ignore the logs, or to disable the particular Deployment Client? I suppose I could comment-out the inputs.conf stanza in the Deployment App, but when that app is part of a serverclass that has multiple Deployment Clients associated with it that hoses everyone else.

Tags (2)
0 Karma

Communicator

You could use whitelist/blacklist in your serverclass.conf. Blacklist everything and add the hosts you want to forward. When you need to pulls server remove it from the whitelist and reload deploy server. The app will be removed from the host and forwardig stops for that app, reverse the process to push it back out.

Note the GUI dies not support this so it will go to read only mode, worth the flexibility to me.

You could get creative and if you see the flood of logs coming have an alert triggers script to do the above when conditions are right.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverclassconf

0 Karma

Champion

I don't think you have this sort of control from the Deployment app but you can block this forwarder at the indexer level in inputs.conf.

http://answers.splunk.com/answers/131270/any-way-to-selectively-nullqueue-data-from-heavy-forwarder....

This method should work for both heavy and light (Universal) forwarded events.

0 Karma