Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is my Splunk Heavy Forwarder still indexing events

ic_101
Explorer
‎02-13-2015 07:26 AM

Hi,

I have set up a Splunk Heavy Forwarder (v6.1.1) that collects events from a number of Windows and Linux servers and parses the data before forwarding it on. My understanding is that the forwarder should not index the data by default, but I can see all the events being forwarded in the main index of the heavy forwarder.

I have my own props.conf and transform.conf in ..etc-system-local that obfuscates some data before forwarding. Outputs is configured for syslog UDP port 514.

Any ideas why this may be happening, and how I can stop it indexing? I've tried setting indexAndForward=false in outputs.conf.

Tags (1)
Reply

phoffman_splunk
Splunk Employee
Splunk Employee
‎02-13-2015 10:23 AM

To clarify; disabling the indexing globally (all data), did you put indexAndForward=false under the [tcpout] stanza?

so your outputs.conf has:
[tcpout]
indexAndForward = false

Reply

ic_101
Explorer
‎02-13-2015 10:38 AM

I put it under the [syslog] stanza to try and set it globally. We are using syslog forwarding over UDP.

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎02-13-2015 10:43 AM

Per phoffman_splunk, it must be defined globally. From the spec file:

* This attribute is available only at the top level [tcpout] stanza. It cannot be overridden in a target group.
Reply

ic_101
Explorer
‎02-16-2015 06:24 AM

It is defined globally in the defaults outputs.conf. However this was not being honoured for some reason so I added it to the local outputs.conf to see if it would pick that up instead. I tried setting it at the top level as you suggest, but unfortunately it still appears to be indexing.

Is there a way to verify if the installation has been set up as a Forwarder only, i.e. it shouldn't need to index? Could this be the problem?

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎02-13-2015 09:12 AM

It sounds like that setting is not being honored. Did you re-start Splunk after editing that file? What are the results of 

/opt/splunk/bin/splunk btool --debug outputs list | grep indexAndForward
0 Karma
Reply

ic_101
Explorer
‎02-13-2015 09:33 AM

Splunk was re-started after editing the file.

Results of command show indexAndForward = false in local and default instances of output.conf.

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...