Getting Data In

Can I enable filtering on a Splunk Light Forwarder?

Dark_Ichigo
Builder

All I want to do is to use the filtering functionality on the Splunk Light Forwarder without having to enable the Heavy Forwarder, as most features are disabled in the Splunk Light Forwarder as stated here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwardercapabilities

I would still like to use the Splunk Light Forwarder but enable the filtering feature only, Can this be done, if so then how?

I do recall that there was a way to enable this on a Splunk Light Forwarder, as this functionality is actually disabled and not removed, so enabling it should be possible.

0 Karma

lguinn2
Legend

Nope, if you use the Light Forwarder, you cannot enable filtering. Filtering requires parsing and parsing requires a heavy forwarder.

Dark_Ichigo
Builder

Well I decided to the the filtering from the Splunk SearchHead/indexer side, passing the logs through using a Splunk Light Forwarder.

Ill leave this question as a reference for others who may search for the same questions.

Thanks anyways Splunkers

0 Karma

lguinn2
Legend

Sorry, you are wrong. You can't do it. It's not an option. There is no way to enable it, unless as MuS says, you enable parsing again. Then it becomes a heavy forwarder.

Dark_Ichigo
Builder

Question is though, how would I be able to enable it?

0 Karma

Dark_Ichigo
Builder

true, but indexing and all the other functionalists would be turned off, so I would just have this extra function, we can call it a Light Heavy forwarder??

0 Karma

MuS
SplunkTrust
SplunkTrust

one could enable parsing again, but then it is no longer a light forwarder 😉

0 Karma

Dark_Ichigo
Builder

So your saying there is absolutely no way to enable filtering on a Splunk Light Forwarder at all?, cause its just disabled and not removed, so Im sure there is a way to enable this disabled functionality.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

No. Those settings will just be ignored.

0 Karma

Dark_Ichigo
Builder

But I was told that all I have to do is create a props.conf file under /system/local and Im all set for when I start the forwarding, so its simply just enabling that extra feature?

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...