Solved: Why does the distributed management console show m...

reswob4 · ‎02-16-2016

So I've tried the following suggested configurations:

http://docs.splunk.com/Documentation/Splunk/6.2.0/DistSearch/Forwardsearchheaddata
https://answers.splunk.com/answers/30622/how-to-turn-off-indexing-on-dedicated-search-head.html (doesn't seem to apply to 6.3.3)
https://answers.splunk.com/answers/106166/if-there-is-an-outputs-conf-on-a-dedicated-search-head-doe...

and here is my /opt/splunk/etc/apps/all_forwarder_outputs/local/outputs.conf

BASE SETTINGS

[indexAndForward]
index = false

[tcpout]
defaultGroup = primary_indexers
indexAndForward = false

[tcpout:primary_indexers]
server = indexer1:9997, indexer2:9997

autolb settings

autoLB=true
autoLBFrequency=15
forceTimebasedAutoLB=true

Yet when I look at my Distributed Management Console, it still thinks my search head is also an Indexer.

Is there another outputs.conf I should be configuring?

Thanks

vasildavid · ‎02-16-2016

For the DMC app, there is a "General Setup" page under the "Settings" pulldown. Under this page you can set your server roles by editing your servers and assinging whether they are a Search Head, Indexer, License Server, etc.

View solution in original post

vasildavid · ‎02-16-2016

For the DMC app, there is a "General Setup" page under the "Settings" pulldown. Under this page you can set your server roles by editing your servers and assinging whether they are a Search Head, Indexer, License Server, etc.

Why does the distributed management console show my search head as an indexer?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?