In outputs.conf
How to configure splunk as forwarder to set index:false
Hi ankithreddy777, By default indexAndForward is set to default. If you have any output groups specified, Splunk will send any received events out through that outputs configuration. Therefore, to configure splunk as a forwarder, enable both an input and output interface. If you set indexAndForward to true, splunk will attempt to index the events as well as forwarding out through its tcpout group.
More info is available here : https://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Deployaheavyforwarder
Please let me know if this answers your question. 😄
The indexAndForward
feature is a very special case and it is best to be avoided. It would be better to have the forwarder forward to 2 index tiers instead, which is pretty easy. But why are you not "just forwarding" using the UF version of the app?
Sorry, I mean if we use heavy forwarder, it is receiving data through one of the TCP port, How to configure it for not to index data before forwarding. Because for the splunk instance on indexers, data is automatically indexed when it gets data through tcp port.
AHA, so all that you are really asking, is how to setup your Heavy Forwarder. That is here:
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Deployaheavyforwarder
Hi ankithreddy777,
I think that your need is to have an Heavy Forwarder and not a Universal Forwarder.
You can configure forwarding without indexing by web gui in [Settings -- Forwarding and Receiving -- Default values for forwarding].
You can configure forwarding targets by web gui in [Settings -- Forwarding and Receiving -- Configure forwarding].
Or you can do it modifying outputs.conf file:
this is an output.conf of an Heavy forwarder that doesn't index but only forwards logs to indexers
[tcpout]
defaultGroup = autolb
[tcpout:autolb]
server = xxx.xxx.xxx.xxx:9997, yyy.yyy.yyy.yyy:9997
disabled = false
[tcpout-server://xxx.xxx.xxx.xxx:9997]
[[tcpout-server://yyy.yyy.yyy.yyy:9997]
Default od indexAndForward is false-
See https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Outputsconf
Bye.
Giuseppe
I think this is a great suggestion. Here is the document discussing configuring a heavy forwarder, to supplement what's been provided:
https://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Deployaheavyforwarder
From https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Outputsconf:
#
# Perform selective indexing and forwarding
#
# With a heavy forwarder only, you can index and store data locally, as well as
# forward the data onwards to a receiving indexer. There are two ways to do
# this:
# 1. In outputs.conf:
[tcpout]
defaultGroup = indexers
[indexAndForward]
index=true
selectiveIndexing=true
[tcpout:indexers]
server = 10.1.1.197:9997, 10.1.1.200:9997
# 2. In inputs.conf, Add _INDEX_AND_FORWARD_ROUTING for any data that you want
# index locally, and
_TCP_ROUTING=<target_group> for data to be forwarded.
[monitor:///var/log/messages/]
_INDEX_AND_FORWARD_ROUTING=local
[monitor:///var/log/httpd/]
_TCP_ROUTING=indexers