Reading from article : **Does data indexed and forwarded from a heavy forwarder to indexer would charge twice?**
Any indexed forwarded events from a Heavy forwarded are NOT licensed twice.
When Indexing and forwarding from a Heavy Forwarder, the licensing is only used at the Heavy Forwarder, since indexed Data sent to the Indexer, doesn't go through the Parsing queue (as well as the Aggregator and Typing queues).
I have setup the following on my Heavy Forwarder:
outputs.conf:
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = rdbrsdem03.ref.clp7.local:9997
indexAndForward=true
props.conf
[source::tcp:9999]
BREAK_ONLY_BEFORE=^CEF\:0\|
So on my heavy forwarder, I am sending indexed data to my indexer (rdbrsdem03), and it also filters all events that start with `CEF:0|`
When I check licensing it seems as if the events **ARE** being indexed on both the Heavy Forwarder and Indexer.
Can someone provide me with a search possibly using the 'summary' index that proves the events are only being index at the Heavy Forwarder, please?
I have a developer license at the moment so would like to prove that events that need to be indexed at the Heavy Forwarder (due to local users in a remote site being able to search events of their local hardware events) and then not being reindexed (in effect doubling licensing costs) on the Indexer.
Hope this all makes sense, please let me know if there is anything further you may need.
kind regards
Damindra
↧