Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I configure a heavy forwarder not to index the data it receives?

jamesvz84
Communicator
‎08-24-2015 04:10 PM

How do I tell a heavy forwarder not to index the data it receives? I've seen sample inputs.conf and outputs.conf, but nowhere does it specify this behavior.

I have these configs:

Outputs.conf:
[tcpout:indexQueue]
server = 10.1.1.5:9997
autoLB = true

Inputs.conf:
[splunktcp:9997]

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-24-2015 04:39 PM

In outputs.conf, there is an attribute called "IndexAndForward" which when true, will make Heavy forwarder index the data locally, along with forwarding it. The default value is false, hence generally, it's not specified, if Heavy forwarder is not storing data locally. See more details here.
http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/Outputsconf

View solution in original post

Reply
Solved! Jump to solution

verbal_666
Builder
‎12-08-2019 10:44 AM

Hi.
I took out this thread for an addition... for a problem i found in my infrastructure...

The Infrastructure
UFs -- [HF] -- IDX

The problem
... do to firewall problems, all UFs have outputs to point to both HF and IDX, at the same time, in default stanza... some hosts join IDX directly (since fw blocks HF flow), some join HF only (same as before), some join both... i found that when some inputs go to IDX direcly i got my props (IDX only) parsed right, when passing through HF (no props), parsing is broken (HF-->IDX, HF parses source by default and passes wrong events to IDX which do not elaborate/parse props as well).

The solution
Deploying same props both to IDX, as well, and also to HF, by giving HF same DS as IDX has. Ok.

The workaround (if possible, i don't think can do it)
Bypass parsing (props) in HF and forwarding datas as a common UF to IDX.
Is there a conf to match this behaviour?

Thanks.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-24-2015 05:08 PM

Just put disabled=true anywhere under a stanza header to disable the entire stanza.

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎08-24-2015 04:43 PM

Indexing is disabled by default in a heavy forwarder. Did you set indexAndForward to true in a [tcpout] stanza in outputs.conf? If you didn't, you shouldn't have any indexing on the heavy forwarder.

See Types of forwarders and Configure forwarders with outputs.conf in the Forwarding Data manual.

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-24-2015 04:39 PM

In outputs.conf, there is an attribute called "IndexAndForward" which when true, will make Heavy forwarder index the data locally, along with forwarding it. The default value is false, hence generally, it's not specified, if Heavy forwarder is not storing data locally. See more details here.
http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/Outputsconf

Reply
Get Updates on the Splunk Community!

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...