Indexing and forwarding requirements for database mode

Agent management database mode requires the data that the saved-search pipeline uses to remain searchable locally. Configure your forwarding to retain local searchable visibility.

The saved-search pipeline data must remain searchable by the agent management server that handles requests. If you forward that data in a way that removes local searchable visibility, you can disrupt agent management database mode.

Forwarding configurations

The simplest forwarding configuration for agent management database mode indexes forwarded data locally:

CODE 
# outputs.conf
[indexAndForward]
index = true
selectiveIndexing = false

This configuration keeps the required data searchable locally for the saved-search pipeline. Use it as the recommended starting point when you enable database mode on an agent management server that forwards data.

Selective indexing configuration

If you must keep selectiveIndexing = true, you need additional local-routing configuration. You must explicitly mark agent management generated events for local indexing:

CODE 
# outputs.conf
[indexAndForward]
index = true
selectiveIndexing = true

[tcpout]
defaultGroup = <target_group>

[tcpout:<target_group>]
server = <host>:9997
disabled = 0
CODE 
# props.conf
[source::AgentManager*]
TRANSFORMS-am-local-index-routing = am_set_index_and_forward_local
CODE 
# transforms.conf
[am_set_index_and_forward_local]
REGEX = .
DEST_KEY = _INDEX_AND_FORWARD_ROUTING
FORMAT = local

The source::AgentManager* selector targets agent management generated events such as AgentManagerClientData and AgentManagerPhonehomeData. The transform marks those events for local indexing while selectiveIndexing = true is activated. Without this routing configuration, your agent management server can forward the data without retaining the local searchable events that database mode needs.

Heavy Forwarder co-location

If you co-locate agent management with a Heavy Forwarder, selectiveIndexing = false can cause additional forwarded data to be indexed locally. For that topology, validate disk and license impact, use the selectiveIndexing = true configuration with the required local-routing transform, or separate the agent management and Heavy Forwarder roles.

Remote indexers

If your agent management server searches remote indexers, make sure the searched data corresponds to the agent management server that produced it. If you forward internal logs from multiple agent management servers to the same remote indexers and then search the same shared data, agent management can read mixed data and return incorrect or inconsistent results.

For other deployment patterns, keep your agent management forwarding setup aligned with the applicable Splunk documentation for your version.