Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Heavy Forwarder batch stanza bug

cwacha
Path Finder
‎10-10-2011 04:08 AM

Actual Situation:

A Heavy Forwarder with the [batch://] stanza configured using default values is reading files from a directory and forwards them to a second indexer.
Mark that there is no index= mapping defined in the inputs.conf. A call to

splunk cmd btool inputs list --debug

shows that the index for this input is set to default. On the indexer side all log records from this source will end up in index=default (as we would expect). Unfortunately no matter what you configure on the indexers transforms.conf they always end up in the default index. It is not possible to re-direct the events to another index.

Expected Situation:

A proper transforms.conf on the indexer should make it possible to redirect the records to an index of choice.

Additional Findings:

If we add the exact statement 

index=test1

to the batch stanza on the Heavy Forwarder (so that the records would go to index test1) the same settings in transforms.conf on the indexer suddenly begin to work!
It seems that redirecting the data on the indexer to an index of choice is only possible if any (even non-existent) index is configured on the Heavy Forwarder side.

I consider this a bug. Please fix. 🙂

0 Karma
Reply

Drainy
Champion
‎10-10-2011 04:24 AM

If I am understanding this correct. You have an indexer that is also forwarding its results onto another indexer?
If so, once it reads them in once it will assign an index to them, when they are forwarded on they will also head into the same index. In that case you need to define the initial index as you did in your additional findings section which would result in them landing in the correct index.

Some other parts incase I am off the mark;
What version of Splunk are you running? (Indexer and Heavy Forwarder).

Do you definitely require the use of a heavy forwarder or could you swap it out to an universal forwarder? This is more lightweight and if nothing is defined it should happily forward onto an indexer and into the specified index on the receiving side.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...