Splunk Enterprise

How to cofigure a splunk instance as forwarder

ankithreddy777
Contributor

In outputs.conf

----IndexAndForward Processor-----

The IndexAndForward processor determines the default behavior for indexing

data on full Splunk. It has the "index" property, which determines whether

indexing occurs.

When Splunk is not configured as a forwarder, "index" is set to "true".

That is, the Splunk instance indexes data by default.

When Splunk is configured as a forwarder, the processor turns "index" to

"false". That is, the Splunk instance does not index data by default.

How to configure splunk as forwarder to set index:false

Tags (1)
0 Karma

muebel
SplunkTrust
SplunkTrust

Hi ankithreddy777, By default indexAndForward is set to default. If you have any output groups specified, Splunk will send any received events out through that outputs configuration. Therefore, to configure splunk as a forwarder, enable both an input and output interface. If you set indexAndForward to true, splunk will attempt to index the events as well as forwarding out through its tcpout group.

More info is available here : https://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Deployaheavyforwarder

Please let me know if this answers your question. 😄

0 Karma

woodcock
Esteemed Legend

The indexAndForward feature is a very special case and it is best to be avoided. It would be better to have the forwarder forward to 2 index tiers instead, which is pretty easy. But why are you not "just forwarding" using the UF version of the app?

0 Karma

ankithreddy777
Contributor

Sorry, I mean if we use heavy forwarder, it is receiving data through one of the TCP port, How to configure it for not to index data before forwarding. Because for the splunk instance on indexers, data is automatically indexed when it gets data through tcp port.

0 Karma

woodcock
Esteemed Legend

AHA, so all that you are really asking, is how to setup your Heavy Forwarder. That is here:

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Deployaheavyforwarder

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ankithreddy777,
I think that your need is to have an Heavy Forwarder and not a Universal Forwarder.
You can configure forwarding without indexing by web gui in [Settings -- Forwarding and Receiving -- Default values for forwarding].
You can configure forwarding targets by web gui in [Settings -- Forwarding and Receiving -- Configure forwarding].
Or you can do it modifying outputs.conf file:
this is an output.conf of an Heavy forwarder that doesn't index but only forwards logs to indexers
[tcpout]
defaultGroup = autolb

[tcpout:autolb]
server = xxx.xxx.xxx.xxx:9997, yyy.yyy.yyy.yyy:9997
disabled = false

[tcpout-server://xxx.xxx.xxx.xxx:9997]

[[tcpout-server://yyy.yyy.yyy.yyy:9997]

Default od indexAndForward is false-

See https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Outputsconf

Bye.
Giuseppe

0 Karma

jcrabb_splunk
Splunk Employee
Splunk Employee

I think this is a great suggestion. Here is the document discussing configuring a heavy forwarder, to supplement what's been provided:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Deployaheavyforwarder

Jacob
Sr. Technical Support Engineer
0 Karma

woodcock
Esteemed Legend

From https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Outputsconf:

#
# Perform selective indexing and forwarding
#
# With a heavy forwarder only, you can index and store data locally, as well as
# forward the data onwards to a receiving indexer. There are two ways to do
# this:

# 1. In outputs.conf:
[tcpout]
defaultGroup = indexers

[indexAndForward]
index=true
selectiveIndexing=true

[tcpout:indexers]
server = 10.1.1.197:9997, 10.1.1.200:9997

# 2. In inputs.conf, Add _INDEX_AND_FORWARD_ROUTING for any data that you want
#    index locally, and
_TCP_ROUTING=<target_group> for data to be forwarded.

[monitor:///var/log/messages/]
_INDEX_AND_FORWARD_ROUTING=local

[monitor:///var/log/httpd/]
_TCP_ROUTING=indexers
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...