Best practice: Forward master node data to the indexer layer

[aleoliva]

Describe the bug Following Splunk>docs, Best practice: Forward master node data to the indexer layer: It is suggested to set-up outputs.conf file as:

# Turn off indexing on the master
[indexAndForward]
index = false

[tcpout]
defaultGroup = my_peers_nodes 
forwardedindex.filter.disable = true  
indexAndForward = false 

[tcpout:my_peers_nodes]
server=10.10.10.1:9997,10.10.10.2:9997,10.10.10.3:9997

However, actual org_all_forwarder_outputs/local/outputs.conf defines:

[tcpout]
defaultGroup = my_peers_nodes
forceTimebasedAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_internal)

[tcpout:my_peers_nodes]
server=10.10.10.1:9997,10.10.10.2:9997,10.10.10.3:9997

To Reproduce N/A

Expected behavior We consider that using [indexAndForward] and forwardedindex.filter.disable = true, in outputs.conf file, would set a more consistent platform setup than specifically list all internal indexes.

Screenshots N/A

Desktop (please complete the following information):

• OS: CentOS Linux release 7.7.1908 (Core)
• Ansible Version [ansible --version]: ansible 2.8.5 config file = None configured module search path = ['/home/ue60876/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/lib/python3.6/site-packages/ansible executable location = /usr/local/bin/ansible python version = 3.6.8 (default, Aug 7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

Additional context N/A

[splunkenizer]

Hi

Default Settings of Splunk Base Config Apps are not part of the Splunkenizer and are maintained by Splunk Professional Services.

The settings here, you want to set are default values of Splunk Core anyway, so you don't need to set them. You can always find the default on the systems in /opt/splunk/etc/system/default/outputs.conf

[indexAndForward]
index = false

[tcpout] 
indexAndForward = false 

However you can always change the default values in the base_config_apps in your Software location to be picked up during install or deploy a modified version after installation.

[aleoliva]

Hi,

Yes, this is true for indexAndForward but forwardedindex.filter.disable is disable by default, e.g.:

$ grep forwardedindex.filter.disable  /opt/splunk/etc/system/default/outputs.conf
forwardedindex.filter.disable = false

However I didn't know this part was under Splunk Professional Services responsibilities. Do you know if they have a channel to where I can rise my suggestion?

However you can always change the default values in the base_config_apps in your Software location to be picked up during install or deploy a modified version after installation.

Yes, this is going to be our way; we just wanted to suggest you this update.

[splunkenizer]

However I didn't know this part was under Splunk Professional Services responsibilities. Do you know if they have a channel to where I can rise my suggestion?

I suggest to send such things to a Splunk Professional Services Consultant you work with. For this particular suggestion I can track it. Thanks for mentioning it. I will close this ticket now.