Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I configure a heavy forwarder not to index the data it receives?

jamesvz84
Communicator
‎08-24-2015 04:10 PM

How do I tell a heavy forwarder not to index the data it receives? I've seen sample inputs.conf and outputs.conf, but nowhere does it specify this behavior.

I have these configs:

Outputs.conf:
[tcpout:indexQueue]
server = 10.1.1.5:9997
autoLB = true

Inputs.conf:
[splunktcp:9997]

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-24-2015 04:39 PM

In outputs.conf, there is an attribute called "IndexAndForward" which when true, will make Heavy forwarder index the data locally, along with forwarding it. The default value is false, hence generally, it's not specified, if Heavy forwarder is not storing data locally. See more details here.
http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/Outputsconf

View solution in original post

Reply
Solved! Jump to solution

verbal_666
Builder
‎12-08-2019 10:44 AM

Hi.
I took out this thread for an addition... for a problem i found in my infrastructure...

The Infrastructure
UFs -- [HF] -- IDX

The problem
... do to firewall problems, all UFs have outputs to point to both HF and IDX, at the same time, in default stanza... some hosts join IDX directly (since fw blocks HF flow), some join HF only (same as before), some join both... i found that when some inputs go to IDX direcly i got my props (IDX only) parsed right, when passing through HF (no props), parsing is broken (HF-->IDX, HF parses source by default and passes wrong events to IDX which do not elaborate/parse props as well).

The solution
Deploying same props both to IDX, as well, and also to HF, by giving HF same DS as IDX has. Ok.

The workaround (if possible, i don't think can do it)
Bypass parsing (props) in HF and forwarding datas as a common UF to IDX.
Is there a conf to match this behaviour?

Thanks.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-24-2015 05:08 PM

Just put disabled=true anywhere under a stanza header to disable the entire stanza.

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎08-24-2015 04:43 PM

Indexing is disabled by default in a heavy forwarder. Did you set indexAndForward to true in a [tcpout] stanza in outputs.conf? If you didn't, you shouldn't have any indexing on the heavy forwarder.

See Types of forwarders and Configure forwarders with outputs.conf in the Forwarding Data manual.

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-24-2015 04:39 PM

In outputs.conf, there is an attribute called "IndexAndForward" which when true, will make Heavy forwarder index the data locally, along with forwarding it. The default value is false, hence generally, it's not specified, if Heavy forwarder is not storing data locally. See more details here.
http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/Outputsconf

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...