Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why did our heavy forwarder start indexing locally and how to disable this?

edwardrose
Contributor
‎08-29-2014 12:44 PM

Hello All

I have a new environment where we have a bunch of nix webservers in a DMZ. We installed universal forwarders on those webservers and pointed those webservers to single heavy forwarder, which has permissions to send all data into our secure cell where the indexers reside. Recently the heavy forwarder is indexing the data locally and forwarding it on. I do not want the data to be indexed on the heavy forwarder locally, I just need it to be forwarded on to the main indexers. What should I be looking for to set this up properly again? I know the Splunk PS Engineer who came onsite helped set this up originally but not sure what has changed to cause it to start indexing locally again.

thanks
ed

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎08-29-2014 10:42 PM

Hi edwardrose,

check your tcpout stanza in the outputs.conf file if indexAndForward is set to true

[tcpout]
indexAndForward=true

if indexAndForward=true is set, this tells the forwarder to index the data locally, as well as forward the data to receiving indexers in the target groups. If set to "false" (the default), the forwarder just forwards data but does not index it. This attribute is only available for heavy forwarders; universal and light forwarders cannot index data.

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎08-29-2014 10:42 PM

Hi edwardrose,

check your tcpout stanza in the outputs.conf file if indexAndForward is set to true

[tcpout]
indexAndForward=true

if indexAndForward=true is set, this tells the forwarder to index the data locally, as well as forward the data to receiving indexers in the target groups. If set to "false" (the default), the forwarder just forwards data but does not index it. This attribute is only available for heavy forwarders; universal and light forwarders cannot index data.

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

edwardrose
Contributor
‎09-08-2014 11:24 AM

the outputs.conf file in /opt/splunk/etc/system/local had it set to true.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...