Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is my Splunk Heavy Forwarder still indexing events

ic_101
Explorer
‎02-13-2015 07:26 AM

Hi,

I have set up a Splunk Heavy Forwarder (v6.1.1) that collects events from a number of Windows and Linux servers and parses the data before forwarding it on. My understanding is that the forwarder should not index the data by default, but I can see all the events being forwarded in the main index of the heavy forwarder.

I have my own props.conf and transform.conf in ..etc-system-local that obfuscates some data before forwarding. Outputs is configured for syslog UDP port 514.

Any ideas why this may be happening, and how I can stop it indexing? I've tried setting indexAndForward=false in outputs.conf.

Tags (1)
Reply

phoffman_splunk
Splunk Employee
Splunk Employee
‎02-13-2015 10:23 AM

To clarify; disabling the indexing globally (all data), did you put indexAndForward=false under the [tcpout] stanza?

so your outputs.conf has:
[tcpout]
indexAndForward = false

Reply

ic_101
Explorer
‎02-13-2015 10:38 AM

I put it under the [syslog] stanza to try and set it globally. We are using syslog forwarding over UDP.

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎02-13-2015 10:43 AM

Per phoffman_splunk, it must be defined globally. From the spec file:

* This attribute is available only at the top level [tcpout] stanza. It cannot be overridden in a target group.
Reply

ic_101
Explorer
‎02-16-2015 06:24 AM

It is defined globally in the defaults outputs.conf. However this was not being honoured for some reason so I added it to the local outputs.conf to see if it would pick that up instead. I tried setting it at the top level as you suggest, but unfortunately it still appears to be indexing.

Is there a way to verify if the installation has been set up as a Forwarder only, i.e. it shouldn't need to index? Could this be the problem?

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎02-13-2015 09:12 AM

It sounds like that setting is not being honored. Did you re-start Splunk after editing that file? What are the results of 

/opt/splunk/bin/splunk btool --debug outputs list | grep indexAndForward
0 Karma
Reply

ic_101
Explorer
‎02-13-2015 09:33 AM

Splunk was re-started after editing the file.

Results of command show indexAndForward = false in local and default instances of output.conf.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...