Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is my Splunk Heavy Forwarder still indexing events

ic_101
Explorer
‎02-13-2015 07:26 AM

Hi,

I have set up a Splunk Heavy Forwarder (v6.1.1) that collects events from a number of Windows and Linux servers and parses the data before forwarding it on. My understanding is that the forwarder should not index the data by default, but I can see all the events being forwarded in the main index of the heavy forwarder.

I have my own props.conf and transform.conf in ..etc-system-local that obfuscates some data before forwarding. Outputs is configured for syslog UDP port 514.

Any ideas why this may be happening, and how I can stop it indexing? I've tried setting indexAndForward=false in outputs.conf.

Tags (1)
Reply

phoffman_splunk
Splunk Employee
Splunk Employee
‎02-13-2015 10:23 AM

To clarify; disabling the indexing globally (all data), did you put indexAndForward=false under the [tcpout] stanza?

so your outputs.conf has:
[tcpout]
indexAndForward = false

Reply

ic_101
Explorer
‎02-13-2015 10:38 AM

I put it under the [syslog] stanza to try and set it globally. We are using syslog forwarding over UDP.

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎02-13-2015 10:43 AM

Per phoffman_splunk, it must be defined globally. From the spec file:

* This attribute is available only at the top level [tcpout] stanza. It cannot be overridden in a target group.
Reply

ic_101
Explorer
‎02-16-2015 06:24 AM

It is defined globally in the defaults outputs.conf. However this was not being honoured for some reason so I added it to the local outputs.conf to see if it would pick that up instead. I tried setting it at the top level as you suggest, but unfortunately it still appears to be indexing.

Is there a way to verify if the installation has been set up as a Forwarder only, i.e. it shouldn't need to index? Could this be the problem?

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎02-13-2015 09:12 AM

It sounds like that setting is not being honored. Did you re-start Splunk after editing that file? What are the results of 

/opt/splunk/bin/splunk btool --debug outputs list | grep indexAndForward
0 Karma
Reply

ic_101
Explorer
‎02-13-2015 09:33 AM

Splunk was re-started after editing the file.

Results of command show indexAndForward = false in local and default instances of output.conf.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...