We use a heavy forwarder to read and transmit data from a Windows Event Collectors "Forwarded Events".
The license is set to "Forwarder License".
The databases of the forwarder grew quite big and are almost filling up the disk space of the collector machine.
How do we reduce the index size of the forwarder?
Is it cached data ready to get sent OR data it has already sent that is stored in the local databases?
open up the guide again and find this:
You can use Splunk Web to perform one other configuration (for heavy forwarders only). To store a copy of indexed data local to the forwarder: 1. From Forwarding and receiving, select Forwarding defaults. 2. Select Yes to store and maintain a local copy of the indexed data on the forwarder.
just undo it or you set
outputs.conf to false, read more here
But you chose "no" for this step in the instructions:
After you set all of the configurations in the heavy forwarder, did you restart it?
I suggest that you give the following commands on the heavy forwarder
1. splunk stop
2. splunk clean eventdata -index main
3. splunk start
If the index begins to grow again, then you have a configuration problem somewhere.
"no" is already set.
I use the splunk heavy forwarder instance to send syslog to a syslog server on which runs splunk and indexes the data written by the syslog server.
(this is necessary because I use syslog-ng to filter the data AND provide access to the data for other tools. These tools run on the 20-30 GB full data set while splunk indexes only a 3GB subset)
I followed these instructions.
Could that be a cause for the indexing? Do I have to clear the index manually?
That might be the case. 😉
I followed the description on this documentation page to deploy the heavy forwarder.
It says "Important: A heavy forwarder has a key advantage over light and universal forwarders in that it can index your data locally, as well as forward the data to another Splunk index. However, local indexing is turned off by default."
In my case it seems that indexing is turned on.
How do I turn it off?