- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can I enable filtering on a Splunk Light Forwarder...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I enable filtering on a Splunk Light Forwarder?
All I want to do is to use the filtering functionality on the Splunk Light Forwarder without having to enable the Heavy Forwarder, as most features are disabled in the Splunk Light Forwarder as stated here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwardercapabilities
I would still like to use the Splunk Light Forwarder but enable the filtering feature only, Can this be done, if so then how?
I do recall that there was a way to enable this on a Splunk Light Forwarder, as this functionality is actually disabled and not removed, so enabling it should be possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope, if you use the Light Forwarder, you cannot enable filtering. Filtering requires parsing and parsing requires a heavy forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well I decided to the the filtering from the Splunk SearchHead/indexer side, passing the logs through using a Splunk Light Forwarder.
Ill leave this question as a reference for others who may search for the same questions.
Thanks anyways Splunkers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, you are wrong. You can't do it. It's not an option. There is no way to enable it, unless as MuS says, you enable parsing again. Then it becomes a heavy forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question is though, how would I be able to enable it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
true, but indexing and all the other functionalists would be turned off, so I would just have this extra function, we can call it a Light Heavy forwarder??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
one could enable parsing again, but then it is no longer a light forwarder 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So your saying there is absolutely no way to enable filtering on a Splunk Light Forwarder at all?, cause its just disabled and not removed, so Im sure there is a way to enable this disabled functionality.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. Those settings will just be ignored.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But I was told that all I have to do is create a props.conf file under /system/local and Im all set for when I start the forwarding, so its simply just enabling that extra feature?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
