How to configure splunk as forwarder to set index:false
Hi ankithreddy777, By default indexAndForward is set to default. If you have any output groups specified, Splunk will send any received events out through that outputs configuration. Therefore, to configure splunk as a forwarder, enable both an input and output interface. If you set indexAndForward to true, splunk will attempt to index the events as well as forwarding out through its tcpout group.
More info is available here : https://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Deployaheavyforwarder
Please let me know if this answers your question. 😄
indexAndForward feature is a very special case and it is best to be avoided. It would be better to have the forwarder forward to 2 index tiers instead, which is pretty easy. But why are you not "just forwarding" using the UF version of the app?
Sorry, I mean if we use heavy forwarder, it is receiving data through one of the TCP port, How to configure it for not to index data before forwarding. Because for the splunk instance on indexers, data is automatically indexed when it gets data through tcp port.
I think that your need is to have an Heavy Forwarder and not a Universal Forwarder.
You can configure forwarding without indexing by web gui in [Settings -- Forwarding and Receiving -- Default values for forwarding].
You can configure forwarding targets by web gui in [Settings -- Forwarding and Receiving -- Configure forwarding].
Or you can do it modifying outputs.conf file:
this is an output.conf of an Heavy forwarder that doesn't index but only forwards logs to indexers
defaultGroup = autolb
[tcpout:autolb] server = xxx.xxx.xxx.xxx:9997, yyy.yyy.yyy.yyy:9997 disabled = false [tcpout-server://xxx.xxx.xxx.xxx:9997] [[tcpout-server://yyy.yyy.yyy.yyy:9997]
Default od indexAndForward is false-
I think this is a great suggestion. Here is the document discussing configuring a heavy forwarder, to supplement what's been provided:
# # Perform selective indexing and forwarding # # With a heavy forwarder only, you can index and store data locally, as well as # forward the data onwards to a receiving indexer. There are two ways to do # this: # 1. In outputs.conf: [tcpout] defaultGroup = indexers [indexAndForward] index=true selectiveIndexing=true [tcpout:indexers] server = 10.1.1.197:9997, 10.1.1.200:9997 # 2. In inputs.conf, Add _INDEX_AND_FORWARD_ROUTING for any data that you want # index locally, and _TCP_ROUTING=<target_group> for data to be forwarded. [monitor:///var/log/messages/] _INDEX_AND_FORWARD_ROUTING=local [monitor:///var/log/httpd/] _TCP_ROUTING=indexers