Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to disable indexing on search head cluster members?

rajeev_ku
Path Finder
‎08-17-2016 01:29 AM

Hi,

I recently deployed a search head cluster and indexer cluster and integrated.
How I can disable indexing on search head cluster members? Is there any workaround without making an entry in outputs.conf?

Thanks
Rajeev

Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-17-2016 02:03 AM

You can disable indexing and forward the data to indexers from search head.

Please refer : https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Outputsconf#IndexAndForward_Processor-----

[indexAndForward]
index = [true|false]
* If set to true, data is indexed.
* If set to false, data is not indexed.
* Default depends on whether the Splunk instance is configured as a
  forwarder, modified by any value configured for the indexAndForward
  attribute in [tcpout].
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎08-17-2016 09:42 AM

Curious.
What is a use case you want to avoid making use of outputs.conf to forwarding SHC logs?

0 Karma
Reply
Solved! Jump to solution

rajeev_ku
Path Finder
‎08-17-2016 07:06 PM

I don't want to index data from SHC neither on SH nor on other Indexers. I will monitor SHC from other monitoring tools.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎08-18-2016 05:57 AM

Even though you don't want any monitoring data, it's highly suggested to forward the internal logs at least since it contain a lot of metrics which will help you in troubleshooting

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎08-19-2016 03:03 PM

Agree with renjith.nair for a good practice.
Monitoring SH by other monitoring tool is most likely different from keeping logs of splunk instance for logging behavior of Splunk instance including splunkweb, kvstore, splunkd etc. So, you cannot really monitor Splunk SH in SHC making use of DMC feature without indexing such logs. You cannot create useful correlation searches etc. Anyway, that's an interesting reason.

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-17-2016 03:14 AM

You can do it also using web interface:
Settings -- Forwarder and Receiving -- Configure Forward

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-17-2016 02:03 AM

You can disable indexing and forward the data to indexers from search head.

Please refer : https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Outputsconf#IndexAndForward_Processor-----

[indexAndForward]
index = [true|false]
* If set to true, data is indexed.
* If set to false, data is not indexed.
* Default depends on whether the Splunk instance is configured as a
  forwarder, modified by any value configured for the indexAndForward
  attribute in [tcpout].
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top