Hi,
I have set up a Splunk Heavy Forwarder (v6.1.1) that collects events from a number of Windows and Linux servers and parses the data before forwarding it on. My understanding is that the forwarder should not index the data by default, but I can see all the events being forwarded in the main index of the heavy forwarder.
I have my own props.conf and transform.conf in ..etc-system-local that obfuscates some data before forwarding. Outputs is configured for syslog UDP port 514.
Any ideas why this may be happening, and how I can stop it indexing? I've tried setting indexAndForward=false in outputs.conf.
... View more