I have set Universal.Forwarder on SQL Server to forward all data to heavy forwarder. However, in the search results of the Indexer, for the indexed data from SQL, it shows the "Splunk Server" field as the Indexer and NOT the H.F. I feel, it should show the Splunk server field as Heavy Forwarder as thats the splunk server where the data is coming from. Please let me know if my understanding is wrong.
Could this be because, I have set forwarding defaults in Heavy forwarder, to NOT store local data ?
Second imp question is, I have installed SQL server add-on on the Indexer and the H.F, where all the inputs are set to disabled = 1 for the perfmon:sqlserver data in the inputs.conf file of the local folder of the add-on, however, despite of that I am still getting huge amount of Perfmon:sqlserver data on the indexer.
Can someone please help me in figuring out where i can make the change in stopping this huge amount of unnecessary data ?
Thanks.
↧