Dear All,
I have been getting ready to set up Distributed Management Console after our upgrade to Splunk 6.3.2 and I am working through the pre-requisites document. We have a distributed environment with one search head, two clustered indexers, a Deployment Server/Cluster Master and a Heavy Forwarder.
When I look at the _internal index from the Search Head, I see data from all of the hosts except for the Heavy Forwarder. I think that I should get data from the Heavy Forwarder as well, so that I can monitor it from the DMC, however, it does not say this.
When looking at the HF outputs.conf, I see:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
disabled = false
server = indexer02:9997,indexer01:9997
[tcpout-server://indexer01:9997]
[tcpout-server://indexer02:9997]
Should I change this config file to include the following setting in the tcpout stanza, or will this break the Heavy Forwarder?
[tcpout]
forwardedindex.filter.disable = true
I am not indexing any data on the HF - it is being used to forward syslog data, mainly.
Kindest regards,
BlueSocket
↧