https://community.splunk.com/t5/Getting-Data-In/Forward-internal-from-Indexer/m-p/103542#M21780 <P>hi, <BR /> I am having this problem now , for the _internal data routing to the new indexer . <BR /> my problem is - I have to forward _internal index alone from a indexer to the new indexer , it should not forward all the data only _internal one. </P> <P>i don't want to store this particular _internal data in this indexer, it should move to the new indexers. </P> Tue, 20 Feb 2018 10:06:09 GMT benazir 2018-02-20T10:06:09Z https://community.splunk.com/t5/Getting-Data-In/Forward-internal-from-Indexer/m-p/103538#M21776 <P>Hi,</P> <P>If I forward the _internal index from an indexer to my management Splunk instance, the license master, I can search the _internal index.</P> <P>But, if I search the main index, there are a lot of forwarded events there too that are<BR /> based on non-internal sourcetypes and sources.</P> <P>Has anyone seen this before?</P> <P>outputs.conf<BR /> [tcpout]<BR /> forwardedindex.0.blacklist = .*<BR /> forwardedindex.1.whitelist = _internal<BR /> forwardedindex.2.whitelist = _audit<BR /> forwardedindex.filter.disable = false</P> <P>[tcpout:management]<BR /> server = 172.20.10.35:9997<BR /> compressed = false<BR /> sendCookedData = true</P> <P>inputs.conf<BR /> [monitor://$SPLUNK_HOME/var/log/splunk]<BR /> _TCP_ROUTING = management<BR /> index = _internal</P> Mon, 28 Sep 2020 12:07:08 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-internal-from-Indexer/m-p/103538#M21776 ephemeric 2020-09-28T12:07:08Z https://community.splunk.com/t5/Getting-Data-In/Forward-internal-from-Indexer/m-p/103539#M21777 <P>I would expect that the main index would have forwarded non-internal sourcetypes and sources, if you're actually configuring inputs on the forwarder. The default location for forwarded non internal data is the main index. This sounds like normal behavior from my perspective. </P> Thu, 19 Jul 2012 16:52:32 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-internal-from-Indexer/m-p/103539#M21777 jbsplunk 2012-07-19T16:52:32Z https://community.splunk.com/t5/Getting-Data-In/Forward-internal-from-Indexer/m-p/103540#M21778 <P>My bad. Sorry, the main index on the Splunk management instance has nothing, just checked. I forward the _internal index from an indexer to this management instance and end up with a stack of non _internal index events in the main index on the management instance.</P> Thu, 19 Jul 2012 16:53:45 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-internal-from-Indexer/m-p/103540#M21778 ephemeric 2012-07-19T16:53:45Z https://community.splunk.com/t5/Getting-Data-In/Forward-internal-from-Indexer/m-p/103541#M21779 <P>My bad. We were forwarding raw unparsed data which was hence uncooked and the resulting sourcetype pollution ensued.</P> Tue, 05 Feb 2013 09:46:54 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-internal-from-Indexer/m-p/103541#M21779 ephemeric 2013-02-05T09:46:54Z https://community.splunk.com/t5/Getting-Data-In/Forward-internal-from-Indexer/m-p/103542#M21780 <P>hi, <BR /> I am having this problem now , for the _internal data routing to the new indexer . <BR /> my problem is - I have to forward _internal index alone from a indexer to the new indexer , it should not forward all the data only _internal one. </P> <P>i don't want to store this particular _internal data in this indexer, it should move to the new indexers. </P> Tue, 20 Feb 2018 10:06:09 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-internal-from-Indexer/m-p/103542#M21780 benazir 2018-02-20T10:06:09Z