Splunk Enterprise

How to cofigure a splunk instance as forwarder


In outputs.conf

----IndexAndForward Processor-----

The IndexAndForward processor determines the default behavior for indexing

data on full Splunk. It has the "index" property, which determines whether

indexing occurs.

When Splunk is not configured as a forwarder, "index" is set to "true".

That is, the Splunk instance indexes data by default.

When Splunk is configured as a forwarder, the processor turns "index" to

"false". That is, the Splunk instance does not index data by default.

How to configure splunk as forwarder to set index:false

Tags (1)
0 Karma


Hi ankithreddy777, By default indexAndForward is set to default. If you have any output groups specified, Splunk will send any received events out through that outputs configuration. Therefore, to configure splunk as a forwarder, enable both an input and output interface. If you set indexAndForward to true, splunk will attempt to index the events as well as forwarding out through its tcpout group.

More info is available here : https://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Deployaheavyforwarder

Please let me know if this answers your question. 😄

0 Karma

Esteemed Legend

The indexAndForward feature is a very special case and it is best to be avoided. It would be better to have the forwarder forward to 2 index tiers instead, which is pretty easy. But why are you not "just forwarding" using the UF version of the app?

0 Karma


Sorry, I mean if we use heavy forwarder, it is receiving data through one of the TCP port, How to configure it for not to index data before forwarding. Because for the splunk instance on indexers, data is automatically indexed when it gets data through tcp port.

0 Karma

Esteemed Legend

AHA, so all that you are really asking, is how to setup your Heavy Forwarder. That is here:


0 Karma


Hi ankithreddy777,
I think that your need is to have an Heavy Forwarder and not a Universal Forwarder.
You can configure forwarding without indexing by web gui in [Settings -- Forwarding and Receiving -- Default values for forwarding].
You can configure forwarding targets by web gui in [Settings -- Forwarding and Receiving -- Configure forwarding].
Or you can do it modifying outputs.conf file:
this is an output.conf of an Heavy forwarder that doesn't index but only forwards logs to indexers
defaultGroup = autolb

server = xxx.xxx.xxx.xxx:9997, yyy.yyy.yyy.yyy:9997
disabled = false



Default od indexAndForward is false-

See https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Outputsconf


0 Karma

Splunk Employee
Splunk Employee

I think this is a great suggestion. Here is the document discussing configuring a heavy forwarder, to supplement what's been provided:


Sr. Technical Support Engineer
0 Karma

Esteemed Legend

From https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Outputsconf:

# Perform selective indexing and forwarding
# With a heavy forwarder only, you can index and store data locally, as well as
# forward the data onwards to a receiving indexer. There are two ways to do
# this:

# 1. In outputs.conf:
defaultGroup = indexers


server =,

# 2. In inputs.conf, Add _INDEX_AND_FORWARD_ROUTING for any data that you want
#    index locally, and
_TCP_ROUTING=<target_group> for data to be forwarded.


0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...