Splunk Enterprise

Prevent Indexer from indexing whilst forwarding syslog to a 3rd party system

bvv
Explorer

outputs.conf

[syslog:syslogGroup]
server = x.x.x.x:514

props.conf

[helloworld]
TRANSFORMS-rsyslog = syslogRouting

transforms.conf

[syslogRouting]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogGroup

This config is applied on an indexer (many tutorials use a heavy forwarder which by defaults does not index data). This works perfectly in forwarding rawdata in syslog to another system however rawdata is also being indexed. Is there a way to prevent indexing from happening?

I've tried adding a nullQueue stanza to props.conf without luck.

Tags (1)
0 Karma

masonmorales
Influencer

Is the data already cooked when it hits the indexer? / What's forwarding the data to the indexer?

0 Karma

bvv
Explorer

Data is not not cooked
UF-->This splunk instance (both Indexer and Search Head role)

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Set index = false for indexAndForward in outputs.conf.

[indexAndForward]
index=false
0 Karma

bvv
Explorer

This will stop not just [helloworld] but all other indexes from indexing.

The splunk instance itself is an Indexer and a Search Head at the same time.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

You can try this. Set selectiveIndexing = true. And remove attribute _INDEX_AND_FORWARD_ROUTING if added under monitor stanza in inputs.conf. This makes forwarder to not index this data.

[indexAndForward]
index=true
selectiveIndexing = true
0 Karma

bvv
Explorer

This stopped indexing on all indexes as well..
I might consider setting up a HF to pick up data from UF instead of sending directly to Indexer.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...