Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How should I configure a Heavy Forwarder outputs.conf to work with the distributed management console?

BlueSocket
Communicator
‎01-14-2016 07:34 AM

Dear All,

I have been getting ready to set up Distributed Management Console after our upgrade to Splunk 6.3.2 and I am working through the pre-requisites document. We have a distributed environment with one search head, two clustered indexers, a Deployment Server/Cluster Master and a Heavy Forwarder.

When I look at the _internal index from the Search Head, I see data from all of the hosts except for the Heavy Forwarder. I think that I should get data from the Heavy Forwarder as well, so that I can monitor it from the DMC, however, it does not say this.

When looking at the HF outputs.conf, I see:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
disabled = false
server = indexer02:9997,indexer01:9997

[tcpout-server://indexer01:9997]

[tcpout-server://indexer02:9997]

Should I change this config file to include the following setting in the tcpout stanza, or will this break the Heavy Forwarder?

[tcpout]
forwardedindex.filter.disable = true

I am not indexing any data on the HF - it is being used to forward syslog data, mainly.

Kindest regards,

BlueSocket

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-14-2016 02:15 PM

I think you need to add a bit more to your outputs.conf.

In fact, just follow the instructions here: Best practice: Forward search head data to the indexer layer
These instructions are correct, because the heavy forwarder is really just like a search head in some ways: neither of them should be indexing anything. And although you think that you aren't indexing anything on your heavy forwarder, you might be... Since the internal indexes don't require a license, so you might well be indexing without realizing it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-14-2016 02:15 PM

I think you need to add a bit more to your outputs.conf.

In fact, just follow the instructions here: Best practice: Forward search head data to the indexer layer
These instructions are correct, because the heavy forwarder is really just like a search head in some ways: neither of them should be indexing anything. And although you think that you aren't indexing anything on your heavy forwarder, you might be... Since the internal indexes don't require a license, so you might well be indexing without realizing it.

0 Karma
Reply
Get Updates on the Splunk Community!

Let’s Talk Terraform

If you’re beyond the first-weeks-of-a-startup stage, chances are your application’s architecture is pretty ...

Cloud Platform | Customer Change Announcement: Email Notification is Available For ...

The Notification Team is migrating our email service provider. As the rollout progresses, Splunk has enabled ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...