Re: Add Remote Index to Heavy Forwarder

caviman2201 · ‎06-27-2014

I have several heavy forwarders in my environment and when I configure data inputs on them, to get the forwarder to send the events to my indexer and put them in a specific index, I have to use inputs.conf. Is there any way to add the indexes on my indexer to the available indexes in the drop-down menu on the web interface of the heavy forwarder?

lguinn2 · ‎06-27-2014

No, there is not. The drop-down is populated based on the actual indexes that exist on the local machine (ie, the contents of $SPLUNK_HOME/var/lib/splunk.) I don't think it would be a good idea to create those indexes locally...

caviman2201 · ‎06-30-2014

So there's really no point to a Heavy Forwarder then over a Light Forwarder if I have to do almost everything in the text files anyway... The problem I'm running into is that I want to be able to use the GUI's text file preview/source type creation wizard AND have the forwarder send the events to my indexer as opposed to indexing them locally...

Are you saying that isn't possible?

Add Remote Index to Heavy Forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation