Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do i index a single file locally on the HF

tkwaller1
Path Finder
‎02-18-2026 12:38 PM

Hello


Currently all data forwarded to our on-prem HF goes to Splunk Cloud, I now have a single file that I want to index locally on the HF. 

Is there an easy way to do this, that doesn't risk preventing data forwarding for the rest of the data that's already sending properly?

Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-18-2026 11:35 PM

Hi @tkwaller1 ,

follow the instructions at https://help.splunk.com/en/data-management/forward-data/forwarding-and-receiving-data/9.3.2411/perfo...

Ciao.

Giuseppe

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-18-2026 02:11 PM

Hi @tkwaller1 

How would you then search this data? Do you have a license to ingest data on-premise if you are using Splunk Cloud? 

If you really need to do this and have a license for it then its not *really* just a forwarder anymore...but anyway..!

I think if you set _TCP_ROUTING = (empty value) in your inputs.conf stanza for the file then this will override the  default forwarding target group for that specific input only, forcing the Heavy Forwarder to index the file locally while preserving Splunk Cloud forwarding for all other data.

 
[monitor:///path/to/your/file.log]
index = local_index_name
sourcetype = your_sourcetype
_TCP_ROUTING =
disabled = 0
 

Splunk interprets the empty assignment as "route to no target groups." Since Heavy Forwarders possess indexing capabilities, the data enters the local indexing pipeline.

It goes without saying that this isnt typical/best practice and may have other implications!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

tkwaller1
Path Finder
‎02-19-2026 06:27 AM

For a little background on WHY I want to do this. We are a hybrid Splunk Cloud architecture, the HF send to Splunk Cloud FedRAMP. This is a workaround for triggering external alert actions based off of alerts. Since the alert originates outside our on-prem network the traffic is automatically blocked per security restrictions. I worked with our CSM team and support and got REST access from our on-prem host to the SH so i can pull back triggered alerts.

From there I was outputting the results into a file that I wanted to trigger actions off of, but to do this i need to be able to search that file. 

The HF is a full install of Splunk Enterprise, I can run searches for local data on this host. I split a small license off of our main license. This file is pretty small and is csv formatted.

I get that its not best practice, but I have to work around that sometimes to achieve goals.

I will test and see if the recommendations work. I appreciate the response!

I will mark as answer once I test.

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-18-2026 02:03 PM

Forwarders don't store data locally - they just forward it somewhere else.

If data was stored locally you wouldn't be able to search for it since the data would not be on a search peer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...