<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Cannot forward one specific index between indexers in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Cannot-forward-one-specific-index-between-indexers/m-p/583268#M102772</link>
    <description>&lt;P&gt;I'm working on an indexer to try to forward all data ingested with IT Essentials Work + Splunk Add-on for Unix &amp;amp; Linux to a remote indexer cluster. Until now, that indexer is receiving events into all itsi_* indexes, but, when I try to setup the forwarding option into that indexer, I cannot set the forwardedindex.n.whitelist and blacklist to forward only the itsi_* indexes to the IDX Cluster. I've try to overwrite all default whitelists and blacklists on local and reset whitelists with itsi_* indexes, but, this still forwarding all indexes, nor only itsi_* indexes.&lt;/P&gt;&lt;P&gt;My outputs.conf file is like following:&lt;/P&gt;&lt;P&gt;[tcpout]&lt;BR /&gt;defaultGroup = default-autolb-group&lt;BR /&gt;forwardedindex.0.whitelist =&lt;BR /&gt;forwardedindex.1.blacklist =&lt;BR /&gt;forwardedindex.2.whitelist =&lt;BR /&gt;forwardedindex.0.whitelist = (itsi_grouped_alerts|itsi_im_meta|itsi_im_metrics|itsi_import_objects|itsi_notable_archive|itsi_notable_audit|itsi_summary|itsi_summary_metrics|itsi_tracked_alerts)&lt;BR /&gt;indexAndForward = 1&lt;/P&gt;&lt;P&gt;[tcpout:default-autolb-group]&lt;BR /&gt;disabled = false&lt;BR /&gt;server = HFtoIDXCluster:9997&lt;BR /&gt;useACK = true&lt;/P&gt;&lt;P&gt;If I use a "default" config option, overwriting the lists not resetting (not declaring the default 3 lists empty on the tcpout stanza) I have the same behaviour. This is the first time I try to set forwarding options from an indexer. I need to forward this data because it's used for administration of each Splunk instances, and it's required to get into a specific Splunk Enterprise cluster, but, all other indexes it's not required to be forwarded. Have I miss something to specify into config files?&lt;/P&gt;&lt;P&gt;Best regards&lt;/P&gt;</description>
    <pubDate>Tue, 01 Feb 2022 19:25:57 GMT</pubDate>
    <dc:creator>lenrigodoy</dc:creator>
    <dc:date>2022-02-01T19:25:57Z</dc:date>
    <item>
      <title>Cannot forward one specific index between indexers</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Cannot-forward-one-specific-index-between-indexers/m-p/583268#M102772</link>
      <description>&lt;P&gt;I'm working on an indexer to try to forward all data ingested with IT Essentials Work + Splunk Add-on for Unix &amp;amp; Linux to a remote indexer cluster. Until now, that indexer is receiving events into all itsi_* indexes, but, when I try to setup the forwarding option into that indexer, I cannot set the forwardedindex.n.whitelist and blacklist to forward only the itsi_* indexes to the IDX Cluster. I've try to overwrite all default whitelists and blacklists on local and reset whitelists with itsi_* indexes, but, this still forwarding all indexes, nor only itsi_* indexes.&lt;/P&gt;&lt;P&gt;My outputs.conf file is like following:&lt;/P&gt;&lt;P&gt;[tcpout]&lt;BR /&gt;defaultGroup = default-autolb-group&lt;BR /&gt;forwardedindex.0.whitelist =&lt;BR /&gt;forwardedindex.1.blacklist =&lt;BR /&gt;forwardedindex.2.whitelist =&lt;BR /&gt;forwardedindex.0.whitelist = (itsi_grouped_alerts|itsi_im_meta|itsi_im_metrics|itsi_import_objects|itsi_notable_archive|itsi_notable_audit|itsi_summary|itsi_summary_metrics|itsi_tracked_alerts)&lt;BR /&gt;indexAndForward = 1&lt;/P&gt;&lt;P&gt;[tcpout:default-autolb-group]&lt;BR /&gt;disabled = false&lt;BR /&gt;server = HFtoIDXCluster:9997&lt;BR /&gt;useACK = true&lt;/P&gt;&lt;P&gt;If I use a "default" config option, overwriting the lists not resetting (not declaring the default 3 lists empty on the tcpout stanza) I have the same behaviour. This is the first time I try to set forwarding options from an indexer. I need to forward this data because it's used for administration of each Splunk instances, and it's required to get into a specific Splunk Enterprise cluster, but, all other indexes it's not required to be forwarded. Have I miss something to specify into config files?&lt;/P&gt;&lt;P&gt;Best regards&lt;/P&gt;</description>
      <pubDate>Tue, 01 Feb 2022 19:25:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Cannot-forward-one-specific-index-between-indexers/m-p/583268#M102772</guid>
      <dc:creator>lenrigodoy</dc:creator>
      <dc:date>2022-02-01T19:25:57Z</dc:date>
    </item>
    <item>
      <title>Re: Cannot forward one specific index between indexers</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Cannot-forward-one-specific-index-between-indexers/m-p/583315#M102777</link>
      <description>&lt;P&gt;Hey&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234741"&gt;@lenrigodoy&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;Did you try specifying the outputs in the below manner?&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[tcpout]
defaultGroup = default-autolb-group
forwardedindex.0.whitelist =(itsi_grouped_alerts|itsi_im_meta|itsi_im_metrics|itsi_import_objects|itsi_notable_archive|itsi_notable_audit|itsi_summary|itsi_summary_metrics|itsi_tracked_alerts)
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =
indexAndForward = 1&lt;/LI-CODE&gt;&lt;P&gt;The filters will be working in the sequential manner of the integers provided after the forwardedindex parameter. And in your case, I see there are 2 parameters with &lt;STRONG&gt;forwardedindex.0.whitelist&lt;/STRONG&gt; in the outputs.conf. And sequentially, the filter you need is present in the parameter present at the bottom.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 02 Feb 2022 03:43:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Cannot-forward-one-specific-index-between-indexers/m-p/583315#M102777</guid>
      <dc:creator>tshah-splunk</dc:creator>
      <dc:date>2022-02-02T03:43:33Z</dc:date>
    </item>
    <item>
      <title>Re: Cannot forward one specific index between indexers</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Cannot-forward-one-specific-index-between-indexers/m-p/583389#M102784</link>
      <description>&lt;P&gt;I've follow the Docs about route data&lt;/P&gt;&lt;P&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.2.4/Forwarding/Routeandfilterdatad#Filter_data_by_target_index" target="_blank" rel="noopener"&gt;https://docs.splunk.com/Documentation/Splunk/8.2.4/Forwarding/Routeandfilterdatad#Filter_data_by_target_index&lt;/A&gt;&lt;/P&gt;&lt;P&gt;In this doc, it's recommended to do:&lt;/P&gt;&lt;P&gt;"If you want to forward only the data targeted for a single index (for example, as specified in&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;inputs.conf), and drop any data that is not a target for that index, configure&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;outputs.conf&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;in this way:&lt;/P&gt;&lt;PRE&gt;[tcpout]
#Disable the current filters from the defaults outputs.conf
forwardedindex.0.whitelist = 
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =

#Forward data for the "myindex" index
forwardedindex.0.whitelist = myindex&lt;/PRE&gt;&lt;P&gt;This first disables all filters from the default&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;outputs.conf&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;file. It then sets the filter for your own index. Be sure to start the filter numbering with 0:&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;forwardedindex.0."&lt;/P&gt;&lt;P&gt;Now, I'm testing your config, I'll update my answer in case of that config works. Otherwise, I will test other configs to find the working one.&lt;/P&gt;</description>
      <pubDate>Wed, 02 Feb 2022 13:16:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Cannot-forward-one-specific-index-between-indexers/m-p/583389#M102784</guid>
      <dc:creator>lenrigodoy</dc:creator>
      <dc:date>2022-02-02T13:16:56Z</dc:date>
    </item>
  </channel>
</rss>

