Knowledge Management

Pooled search heads in distributed search - disable indexing and forward all data to indexers?

msarro
Builder

Hello everyone. I have been combing around about this issue and haven't found a lot of concrete information. From what the wiki says, I need to create an outputs.conf file on all of the search heads that contains this stanza:

- outputs.conf
#Forward everything
[tcpout]
forwardedindex.filter.disable = true

However this only sets up forwarding for the _internal index. How can I completely disable indexing on the pooled search heads, and set them to forward absolutely everything to the indexers? Is this fully documented anywhere? Some of the older documents suggested turning the search heads into lightweight forwarders, but they don't exist anymore, and splunkweb doesn't exist (to my knowledge) on universal forwarders.

Based on this question:
http://answers.splunk.com/answers/69365/forwarding-summary-index-from-search-head-to-indexer

The outputs.conf should be configured in a way that matches my main outputs.conf on my forwarders, but it doesn't discuss any settings for inputs or how to route all information to those outputs.

I have spent the past 48 hours backfilling into a summary index, only to realize that the data seems to be split between all 3 of my search heads, so I need to start over. Any advice would really be appreciated.

Tags (1)
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I don't know where you got that above stanza from, but what you actually need is an outputs.conf that is exactly like the ones you'd put on a forwarder to send to the indexers, e.g.,

[tcpout]
defaultGroup = myindexers

[tcpout:myindexers]
server = indexer1,indexer2,indexer3

msarro
Builder

So does this actually disable all local indexing on the search head, and forward all data to the indexers?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...