Getting Data In

How to disable indexing on search head cluster members?

rajeev_ku
Path Finder

Hi,

I recently deployed a search head cluster and indexer cluster and integrated.
How I can disable indexing on search head cluster members? Is there any workaround without making an entry in outputs.conf?

Thanks
Rajeev

1 Solution

renjith_nair
SplunkTrust
SplunkTrust

You can disable indexing and forward the data to indexers from search head.

Please refer : https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Outputsconf#IndexAndForward_Processor-----

[indexAndForward]
index = [true|false]
* If set to true, data is indexed.
* If set to false, data is not indexed.
* Default depends on whether the Splunk instance is configured as a
  forwarder, modified by any value configured for the indexAndForward
  attribute in [tcpout].
Happy Splunking!

View solution in original post

Masa
Splunk Employee
Splunk Employee

Curious.
What is a use case you want to avoid making use of outputs.conf to forwarding SHC logs?

0 Karma

rajeev_ku
Path Finder

I don't want to index data from SHC neither on SH nor on other Indexers. I will monitor SHC from other monitoring tools.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Even though you don't want any monitoring data, it's highly suggested to forward the internal logs at least since it contain a lot of metrics which will help you in troubleshooting

Happy Splunking!
0 Karma

Masa
Splunk Employee
Splunk Employee

Agree with renjith.nair for a good practice.
Monitoring SH by other monitoring tool is most likely different from keeping logs of splunk instance for logging behavior of Splunk instance including splunkweb, kvstore, splunkd etc. So, you cannot really monitor Splunk SH in SHC making use of DMC feature without indexing such logs. You cannot create useful correlation searches etc. Anyway, that's an interesting reason.

gcusello
SplunkTrust
SplunkTrust

You can do it also using web interface:
Settings -- Forwarder and Receiving -- Configure Forward

Bye.
Giuseppe

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

You can disable indexing and forward the data to indexers from search head.

Please refer : https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Outputsconf#IndexAndForward_Processor-----

[indexAndForward]
index = [true|false]
* If set to true, data is indexed.
* If set to false, data is not indexed.
* Default depends on whether the Splunk instance is configured as a
  forwarder, modified by any value configured for the indexAndForward
  attribute in [tcpout].
Happy Splunking!
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...