Getting Data In

License implications between a light weight forwarder ans standard forwarder.

imacdonald2
Path Finder

I would like to be able to filter events before it hits the indexer.

I tried putting the following in a app definition

transforms.conf

[setnull]
REGEX = (\[SipServletRequestImpl\])
DEST_KEY = queue
FORMAT = nullQueue

and props.conf

[source::/var/log/angel/jboss-callcontrol/sip-container.log]
TRANSFORMS-null= setnull

The app is deployed on a server that is set up as a light weight forwarder. This doesn't appear to work with light weight forwarders, and is confirmed with reading answers on here.

Question 1: What is the implication of moving from a light weight forwarder to a standard forwarder in terms of licensing? Do i need to have a separate license for a standard forwarder?

Question 2: Can I do the filtering on our main splunk server? That way I can continue using the light weight forwarder setup I already have.

The goal is to remove stuff from the log inputs so it doesn't count against or daily license limit.

Thanks

Tags (2)
1 Solution

ziegfried
Influencer

Using a normal forwarder instead of a lightweight one doesn't necessarily have implications in terms of licensing. Only if you turn on the "indexAndForward" feature on the forwarder - which would lead to data beeing indexed on the forwarder is self as well as on the indexer - would be a reason to install a enterprise license. You can configure this option under Manager -> Forwarding & Receiving -> Forwarding defaults.

You can of course filter the events before beeing indexed on the indexer (in case you use the LW forwarder). You just have to configure the transforms there. The only downside is that all events go over the network.

View solution in original post

ziegfried
Influencer

Using a normal forwarder instead of a lightweight one doesn't necessarily have implications in terms of licensing. Only if you turn on the "indexAndForward" feature on the forwarder - which would lead to data beeing indexed on the forwarder is self as well as on the indexer - would be a reason to install a enterprise license. You can configure this option under Manager -> Forwarding & Receiving -> Forwarding defaults.

You can of course filter the events before beeing indexed on the indexer (in case you use the LW forwarder). You just have to configure the transforms there. The only downside is that all events go over the network.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...