Getting Data In

How do I configure a heavy forwarder not to index the data it receives?

jamesvz84
Communicator

How do I tell a heavy forwarder not to index the data it receives? I've seen sample inputs.conf and outputs.conf, but nowhere does it specify this behavior.

I have these configs:

Outputs.conf:
[tcpout:indexQueue]
server = 10.1.1.5:9997
autoLB = true

Inputs.conf:
[splunktcp:9997]

1 Solution

somesoni2
Revered Legend

In outputs.conf, there is an attribute called "IndexAndForward" which when true, will make Heavy forwarder index the data locally, along with forwarding it. The default value is false, hence generally, it's not specified, if Heavy forwarder is not storing data locally. See more details here.
http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/Outputsconf

View solution in original post

verbal_666
Communicator

Hi.
I took out this thread for an addition... for a problem i found in my infrastructure...

The Infrastructure
UFs -- [HF] -- IDX

The problem
... do to firewall problems, all UFs have outputs to point to both HF and IDX, at the same time, in default stanza... some hosts join IDX directly (since fw blocks HF flow), some join HF only (same as before), some join both... i found that when some inputs go to IDX direcly i got my props (IDX only) parsed right, when passing through HF (no props), parsing is broken (HF-->IDX, HF parses source by default and passes wrong events to IDX which do not elaborate/parse props as well).

The solution
Deploying same props both to IDX, as well, and also to HF, by giving HF same DS as IDX has. Ok.

The workaround (if possible, i don't think can do it)
Bypass parsing (props) in HF and forwarding datas as a common UF to IDX.
Is there a conf to match this behaviour?

Thanks.

0 Karma

woodcock
Esteemed Legend

Just put disabled=true anywhere under a stanza header to disable the entire stanza.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Indexing is disabled by default in a heavy forwarder. Did you set indexAndForward to true in a [tcpout] stanza in outputs.conf? If you didn't, you shouldn't have any indexing on the heavy forwarder.

See Types of forwarders and Configure forwarders with outputs.conf in the Forwarding Data manual.

somesoni2
Revered Legend

In outputs.conf, there is an attribute called "IndexAndForward" which when true, will make Heavy forwarder index the data locally, along with forwarding it. The default value is false, hence generally, it's not specified, if Heavy forwarder is not storing data locally. See more details here.
http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/Outputsconf

Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...