Hi,
I have set up a Splunk Heavy Forwarder (v6.1.1) that collects events from a number of Windows and Linux servers and parses the data before forwarding it on. My understanding is that the forwarder should not index the data by default, but I can see all the events being forwarded in the main index of the heavy forwarder.
I have my own props.conf and transform.conf in ..etc-system-local that obfuscates some data before forwarding. Outputs is configured for syslog UDP port 514.
Any ideas why this may be happening, and how I can stop it indexing? I've tried setting indexAndForward=false in outputs.conf.
To clarify; disabling the indexing globally (all data), did you put indexAndForward=false under the [tcpout] stanza?
so your outputs.conf has:
[tcpout]
indexAndForward = false
I put it under the [syslog] stanza to try and set it globally. We are using syslog forwarding over UDP.
Per phoffman_splunk, it must be defined globally. From the spec file:
* This attribute is available only at the top level [tcpout] stanza. It cannot be overridden in a target group.
It is defined globally in the defaults outputs.conf. However this was not being honoured for some reason so I added it to the local outputs.conf to see if it would pick that up instead. I tried setting it at the top level as you suggest, but unfortunately it still appears to be indexing.
Is there a way to verify if the installation has been set up as a Forwarder only, i.e. it shouldn't need to index? Could this be the problem?
It sounds like that setting is not being honored. Did you re-start Splunk after editing that file? What are the results of
/opt/splunk/bin/splunk btool --debug outputs list | grep indexAndForward
Splunk was re-started after editing the file.
Results of command show indexAndForward = false in local and default instances of output.conf.