Getting Data In

How should I configure a Heavy Forwarder outputs.conf to work with the distributed management console?

BlueSocket
Communicator

Dear All,

I have been getting ready to set up Distributed Management Console after our upgrade to Splunk 6.3.2 and I am working through the pre-requisites document. We have a distributed environment with one search head, two clustered indexers, a Deployment Server/Cluster Master and a Heavy Forwarder.

When I look at the _internal index from the Search Head, I see data from all of the hosts except for the Heavy Forwarder. I think that I should get data from the Heavy Forwarder as well, so that I can monitor it from the DMC, however, it does not say this.

When looking at the HF outputs.conf, I see:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
disabled = false
server = indexer02:9997,indexer01:9997

[tcpout-server://indexer01:9997]

[tcpout-server://indexer02:9997]

Should I change this config file to include the following setting in the tcpout stanza, or will this break the Heavy Forwarder?

[tcpout]
forwardedindex.filter.disable = true  

I am not indexing any data on the HF - it is being used to forward syslog data, mainly.

Kindest regards,

BlueSocket

0 Karma
1 Solution

lguinn2
Legend

I think you need to add a bit more to your outputs.conf.

In fact, just follow the instructions here: Best practice: Forward search head data to the indexer layer
These instructions are correct, because the heavy forwarder is really just like a search head in some ways: neither of them should be indexing anything. And although you think that you aren't indexing anything on your heavy forwarder, you might be... Since the internal indexes don't require a license, so you might well be indexing without realizing it.

View solution in original post

0 Karma

lguinn2
Legend

I think you need to add a bit more to your outputs.conf.

In fact, just follow the instructions here: Best practice: Forward search head data to the indexer layer
These instructions are correct, because the heavy forwarder is really just like a search head in some ways: neither of them should be indexing anything. And although you think that you aren't indexing anything on your heavy forwarder, you might be... Since the internal indexes don't require a license, so you might well be indexing without realizing it.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...