Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I enable filtering on a Splunk Light Forwarder?

Dark_Ichigo
Builder
‎10-23-2012 07:34 PM

All I want to do is to use the filtering functionality on the Splunk Light Forwarder without having to enable the Heavy Forwarder, as most features are disabled in the Splunk Light Forwarder as stated here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwardercapabilities

I would still like to use the Splunk Light Forwarder but enable the filtering feature only, Can this be done, if so then how?

I do recall that there was a way to enable this on a Splunk Light Forwarder, as this functionality is actually disabled and not removed, so enabling it should be possible.

0 Karma
Reply

lguinn2
Legend
‎10-23-2012 08:16 PM

Nope, if you use the Light Forwarder, you cannot enable filtering. Filtering requires parsing and parsing requires a heavy forwarder.

Reply

Dark_Ichigo
Builder
‎10-24-2012 04:52 PM

Well I decided to the the filtering from the Splunk SearchHead/indexer side, passing the logs through using a Splunk Light Forwarder.

Ill leave this question as a reference for others who may search for the same questions.

Thanks anyways Splunkers

0 Karma
Reply

lguinn2
Legend
‎10-24-2012 06:07 AM

Sorry, you are wrong. You can't do it. It's not an option. There is no way to enable it, unless as MuS says, you enable parsing again. Then it becomes a heavy forwarder.

Reply

Dark_Ichigo
Builder
‎10-23-2012 11:22 PM

Question is though, how would I be able to enable it?

0 Karma
Reply

Dark_Ichigo
Builder
‎10-23-2012 11:22 PM

true, but indexing and all the other functionalists would be turned off, so I would just have this extra function, we can call it a Light Heavy forwarder??

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎10-23-2012 10:50 PM

one could enable parsing again, but then it is no longer a light forwarder 😉

0 Karma
Reply

Dark_Ichigo
Builder
‎10-23-2012 09:09 PM

So your saying there is absolutely no way to enable filtering on a Splunk Light Forwarder at all?, cause its just disabled and not removed, so Im sure there is a way to enable this disabled functionality.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-23-2012 08:36 PM

No. Those settings will just be ignored.

0 Karma
Reply

Dark_Ichigo
Builder
‎10-23-2012 08:27 PM

But I was told that all I have to do is create a props.conf file under /system/local and Im all set for when I start the forwarding, so its simply just enabling that extra feature?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...