Take a look at the whitelist and blacklist attributes:
You can even use advanced filtering now (see advanced filtering section)
For question number 2, the way you install a HF is exactly the same as any other Splunk Entrerprise instance. Just configure inputs and outputs accordingly and it'll behave like one. Take a look at this:
Hope that helps.
UF is a different installer. Everything else comes from the same one. Simply download Splunk Enterprise and configure it to behave like a HF following the instructions I mentioned above.
Full Splunk and a HF are the same instance. The only difference is that a HF is configured not for indexing, but forwarding events upstream to the indexing tier. An HF is also required for some type of Splunk Apps and modular inputs such as DBX, Sourcefire, AWS etc.
I have configured heavy forwarder and have specified other Splunk instance to forward data .
I also configured in inputs.conf -Windows system events - whitelist & blacklist , but I am still able to see that other events coming to splunk and filtering isn't working.
Can u pls assist ?
Tnx in advance
host = splunk-102
disabled = 0
whitelist = 7036-7037
blacklist = 0-7035,7037-10000
disabled = 0
the same stanza appears in /opt/splunk/etc/apps/splunkappwindowsinfrastructure and in /opt/splunk/etc/apps/SplunkTA_windows