Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is my Splunk Heavy Forwarder still indexing events

ic_101
Explorer
‎02-13-2015 07:26 AM

Hi,

I have set up a Splunk Heavy Forwarder (v6.1.1) that collects events from a number of Windows and Linux servers and parses the data before forwarding it on. My understanding is that the forwarder should not index the data by default, but I can see all the events being forwarded in the main index of the heavy forwarder.

I have my own props.conf and transform.conf in ..etc-system-local that obfuscates some data before forwarding. Outputs is configured for syslog UDP port 514.

Any ideas why this may be happening, and how I can stop it indexing? I've tried setting indexAndForward=false in outputs.conf.

Tags (1)
Reply

phoffman_splunk
Splunk Employee
Splunk Employee
‎02-13-2015 10:23 AM

To clarify; disabling the indexing globally (all data), did you put indexAndForward=false under the [tcpout] stanza?

so your outputs.conf has:
[tcpout]
indexAndForward = false

Reply

ic_101
Explorer
‎02-13-2015 10:38 AM

I put it under the [syslog] stanza to try and set it globally. We are using syslog forwarding over UDP.

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎02-13-2015 10:43 AM

Per phoffman_splunk, it must be defined globally. From the spec file:

* This attribute is available only at the top level [tcpout] stanza. It cannot be overridden in a target group.
Reply

ic_101
Explorer
‎02-16-2015 06:24 AM

It is defined globally in the defaults outputs.conf. However this was not being honoured for some reason so I added it to the local outputs.conf to see if it would pick that up instead. I tried setting it at the top level as you suggest, but unfortunately it still appears to be indexing.

Is there a way to verify if the installation has been set up as a Forwarder only, i.e. it shouldn't need to index? Could this be the problem?

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎02-13-2015 09:12 AM

It sounds like that setting is not being honored. Did you re-start Splunk after editing that file? What are the results of 

/opt/splunk/bin/splunk btool --debug outputs list | grep indexAndForward
0 Karma
Reply

ic_101
Explorer
‎02-13-2015 09:33 AM

Splunk was re-started after editing the file.

Results of command show indexAndForward = false in local and default instances of output.conf.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...