https://community.splunk.com/t5/Getting-Data-In/Index-internal-logs-locally-and-forward-all-other-logs/m-p/530945#M89345 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/201643">@k31453</a>&nbsp;</P><P>I believe you are looking for below: Note: you can only index _internal logs using this method.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Selective_indexing_and_internal_logs" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Selective_indexing_and_internal_logs</A></P><P>&nbsp;</P> Thu, 26 Nov 2020 06:57:49 GMT thambisetty 2020-11-26T06:57:49Z https://community.splunk.com/t5/Getting-Data-In/Index-internal-logs-locally-and-forward-all-other-logs/m-p/530751#M89314 <P>As title suggest, i want to index internal logs only and forwards all other logs to forwarders or idxs.<BR /><BR />Here is the setup :</P><UL><LI>I have one cluster and three indexes setup seperately outside cluster.</LI><LI>Cluster has CM, SH and three indexers.</LI><LI>Those Three indexers i want to use as Heavy forwarder to send all logs out to external indexes<BR /><BR /></LI></UL><P>Following is default output.conf:</P><LI-CODE lang="markup">[tcpout] maxQueueSize = auto forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup) forwardedindex.filter.disable = false indexAndForward = false</LI-CODE><P>Here is what I have done outputs.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[tcpout] defaultGroup=noforward disabled=false [indexAndForward] index=true selectiveIndexing=true [tcpout:forwarders] server:&lt;forwarders&gt;:9997</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;<BR />Below is my props.conf</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[default] TRANSFORMS-forwardit = forwardit [host::*.foo.splunk.com] TRANSFORMS-routing = indexing</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><BR />Below is transforms.conf</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[forwardit] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = forwarders [indexing] REGEX = . DEST_KEY = _INDEX_AND_FORWARD_ROUTING FORMAT = local</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;<BR />Essentially all internal indexes should stay within cluster indexes but rest of index or logs forwarded to external indexes.</P> Thu, 26 Nov 2020 04:01:36 GMT https://community.splunk.com/t5/Getting-Data-In/Index-internal-logs-locally-and-forward-all-other-logs/m-p/530751#M89314 k31453 2020-11-26T04:01:36Z https://community.splunk.com/t5/Getting-Data-In/Index-internal-logs-locally-and-forward-all-other-logs/m-p/530758#M89316 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/201643">@k31453</a>&nbsp;</P><P>The Splunk Doc is very much detailed on the question you have asked. check it out using below link.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding</A></P> Wed, 25 Nov 2020 06:06:06 GMT https://community.splunk.com/t5/Getting-Data-In/Index-internal-logs-locally-and-forward-all-other-logs/m-p/530758#M89316 thambisetty 2020-11-25T06:06:06Z https://community.splunk.com/t5/Getting-Data-In/Index-internal-logs-locally-and-forward-all-other-logs/m-p/530918#M89341 <P>Hi, if the intention is to index all internal indexes, i have set<STRONG>&nbsp;</STRONG><SPAN><STRONG>_INDEX_AND_FORWARD_ROUTING</STRONG> and&nbsp;</SPAN></P><P><STRONG>_TCP_ROUTING</STRONG> which can cause the issue.</P> Wed, 25 Nov 2020 23:57:34 GMT https://community.splunk.com/t5/Getting-Data-In/Index-internal-logs-locally-and-forward-all-other-logs/m-p/530918#M89341 k31453 2020-11-25T23:57:34Z https://community.splunk.com/t5/Getting-Data-In/Index-internal-logs-locally-and-forward-all-other-logs/m-p/530924#M89343 <P>For me by default i want to forward new indexes created and internal indexes has to be indexed locally. My thoughts is , setup tcpgroup for forwarders and in outputs.conf and inputs.conf i should modify but not sure how.</P> Thu, 26 Nov 2020 00:21:57 GMT https://community.splunk.com/t5/Getting-Data-In/Index-internal-logs-locally-and-forward-all-other-logs/m-p/530924#M89343 k31453 2020-11-26T00:21:57Z https://community.splunk.com/t5/Getting-Data-In/Index-internal-logs-locally-and-forward-all-other-logs/m-p/530945#M89345 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/201643">@k31453</a>&nbsp;</P><P>I believe you are looking for below: Note: you can only index _internal logs using this method.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Selective_indexing_and_internal_logs" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Selective_indexing_and_internal_logs</A></P><P>&nbsp;</P> Thu, 26 Nov 2020 06:57:49 GMT https://community.splunk.com/t5/Getting-Data-In/Index-internal-logs-locally-and-forward-all-other-logs/m-p/530945#M89345 thambisetty 2020-11-26T06:57:49Z https://community.splunk.com/t5/Getting-Data-In/Index-internal-logs-locally-and-forward-all-other-logs/m-p/531089#M89361 <P>Well. This tells me i have to use inputs.conf to ensure routing. By default I want to forward logs. But if i see internal logs i will index it and not forward it. This basically is telling me i have to put&nbsp;<SPAN><STRONG>_INDEX_AND_FORWARD_ROUTING</STRONG> on all internal inputs.conf this can cause the issue.&nbsp;</SPAN></P> Fri, 27 Nov 2020 00:48:15 GMT https://community.splunk.com/t5/Getting-Data-In/Index-internal-logs-locally-and-forward-all-other-logs/m-p/531089#M89361 k31453 2020-11-27T00:48:15Z