I think I am running a regular forwarder but I see these in the metrics.log:
01-12-2011 01:29:21.021 INFO Metrics - group=pipeline, name=parsing, processor=send-out-light-forwarder, cpu_seconds=0.000000, executes=36, cumulative_hits=221543
01-12-2011 01:29:21.021 INFO Metrics - group=pipeline, name=parsing, processor=tcp-output-light-forwarder, cpu_seconds=0.000000, executes=36, cumulative_hits=221543
Where are the configurations for processor=send-out-light-forwarder or tcp-output-light-forwarder? I think this is why my event data filtering is not working.
I start splunk by:
./splunk enable app SplunkForwarder
That should start the regular, not light, forwarder, right?
tcp-output-light-forwarder and send-out-light-forwarder are defined in modules/parsing/config.xml. tcp-output-light-forwarder and send-out-light-forwarder processor are disabled in regular forwarder, but enabled in SplunkLightForwarder.
For regular forwarder, you don't need to enable any app(You should disable SplunkForwarder).