Solved: splunk forwarder showing different events indexed ...

remy06 · ‎07-27-2010

Hi,

Just to check, I've a splunk forwarder that shows lesser events indexed than on the splunk indexer.Is it suppose to be like this?

For eg, on a windows server I've this forwarder installed and configured to send winevent logs to splunk indexer. The forwarder itself shows 26,434 events indexed while on the splunk indexer shows 253,118.

I've configured forwarding defaults NOT to store a local copy of forwarded events so has it got anything to do with this?

e82than · ‎07-27-2010

hi remy06,

By not getting your fowarder to keep a copy of the data, the results differ.

"I've configured forwarding defaults NOT to store a local copy of forwarded events so has it got anything to do with this?"

R, Ethan Hunt.

View solution in original post

e82than · ‎07-27-2010

hi remy06,

By not getting your fowarder to keep a copy of the data, the results differ.

"I've configured forwarding defaults NOT to store a local copy of forwarded events so has it got anything to do with this?"

R, Ethan Hunt.

splunk forwarder showing different events indexed than splunk indexer

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation