Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to cofigure a splunk instance as forwarder

ankithreddy777
Contributor
‎03-10-2017 06:44 AM

In outputs.conf

----IndexAndForward Processor-----

The IndexAndForward processor determines the default behavior for indexing

data on full Splunk. It has the "index" property, which determines whether

indexing occurs.

When Splunk is not configured as a forwarder, "index" is set to "true".

That is, the Splunk instance indexes data by default.

When Splunk is configured as a forwarder, the processor turns "index" to

"false". That is, the Splunk instance does not index data by default.

How to configure splunk as forwarder to set index:false

Tags (1)
0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎03-10-2017 07:01 AM

Hi ankithreddy777, By default indexAndForward is set to default. If you have any output groups specified, Splunk will send any received events out through that outputs configuration. Therefore, to configure splunk as a forwarder, enable both an input and output interface. If you set indexAndForward to true, splunk will attempt to index the events as well as forwarding out through its tcpout group.

More info is available here : https://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Deployaheavyforwarder

Please let me know if this answers your question. 😄

0 Karma
Reply

woodcock
Esteemed Legend
‎03-10-2017 07:00 AM

The indexAndForward feature is a very special case and it is best to be avoided. It would be better to have the forwarder forward to 2 index tiers instead, which is pretty easy. But why are you not "just forwarding" using the UF version of the app?

0 Karma
Reply

ankithreddy777
Contributor
‎03-10-2017 07:27 AM

Sorry, I mean if we use heavy forwarder, it is receiving data through one of the TCP port, How to configure it for not to index data before forwarding. Because for the splunk instance on indexers, data is automatically indexed when it gets data through tcp port.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-10-2017 08:27 AM

AHA, so all that you are really asking, is how to setup your Heavy Forwarder. That is here:

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Deployaheavyforwarder

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2017 06:57 AM

Hi ankithreddy777,
I think that your need is to have an Heavy Forwarder and not a Universal Forwarder.
You can configure forwarding without indexing by web gui in [Settings -- Forwarding and Receiving -- Default values for forwarding].
You can configure forwarding targets by web gui in [Settings -- Forwarding and Receiving -- Configure forwarding].
Or you can do it modifying outputs.conf file:
this is an output.conf of an Heavy forwarder that doesn't index but only forwards logs to indexers
[tcpout]
defaultGroup = autolb

[tcpout:autolb]
server = xxx.xxx.xxx.xxx:9997, yyy.yyy.yyy.yyy:9997
disabled = false

[tcpout-server://xxx.xxx.xxx.xxx:9997]

[[tcpout-server://yyy.yyy.yyy.yyy:9997]

Default od indexAndForward is false-

See https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Outputsconf

Bye.
Giuseppe

0 Karma
Reply

jcrabb_splunk
Splunk Employee
Splunk Employee
‎03-10-2017 08:32 AM

I think this is a great suggestion. Here is the document discussing configuring a heavy forwarder, to supplement what's been provided:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Deployaheavyforwarder

Jacob
Sr. Technical Support Engineer
0 Karma
Reply

woodcock
Esteemed Legend
‎03-10-2017 06:57 AM

From https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Outputsconf:

#
# Perform selective indexing and forwarding
#
# With a heavy forwarder only, you can index and store data locally, as well as
# forward the data onwards to a receiving indexer. There are two ways to do
# this:

# 1. In outputs.conf:
[tcpout]
defaultGroup = indexers

[indexAndForward]
index=true
selectiveIndexing=true

[tcpout:indexers]
server = 10.1.1.197:9997, 10.1.1.200:9997

# 2. In inputs.conf, Add _INDEX_AND_FORWARD_ROUTING for any data that you want
#    index locally, and
_TCP_ROUTING=<target_group> for data to be forwarded.

[monitor:///var/log/messages/]
_INDEX_AND_FORWARD_ROUTING=local

[monitor:///var/log/httpd/]
_TCP_ROUTING=indexers
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top