configuring a pass-through

a212830 · ‎03-11-2014

Hi,

I want to setup a universal forwarder send events to a heavy forwarder (lots of events, with lots of parsing) and then to an indexer, where they will be stored.

My uf will have a inputs/outputs conf file, and my hf will have the same, plus a props/transforms .conf. How do I tell the hf not to index anything?

MuS · ‎03-11-2014

Hi a212830,

this is set per default this way, see the docs about outputs.conf:

indexAndForward = [true|false]
* Index all data locally, in addition to forwarding it.
* This is known as an "index-and-forward" configuration.
* This attribute is only available for heavy forwarders.
* This attribute is available only at the top level [tcpout] stanza. It cannot be overridden in a target group.
* Defaults to false.

cheers, MuS

MuS · ‎03-16-2014

you asked for transforms and the answer for this is, no

a212830 · ‎03-14-2014

Why would a sourcetype be set in props.conf?

MuS · ‎03-13-2014

no this must be done in props.conf not in inputs.conf

a212830 · ‎03-12-2014

Thanks. On hfw inputs.conf, I setup the following, and I received possible typo messages for the transforms statement. Can't I do transforms at this level?

[tcp://:19997]
sourcetype = snmp_metrics
TRANSFORMS-set = setnull,setparsing,sethost

configuring a pass-through

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...