https://community.splunk.com/t5/Monitoring-Splunk/forward-internal-index-from-deployment-server/m-p/32396#M375 <P>Note that the forwardedindex.whitelist.2 entry described above is the default starting with version 5.0.2, I believe.</P> Thu, 15 Aug 2013 01:22:15 GMT sowings 2013-08-15T01:22:15Z https://community.splunk.com/t5/Monitoring-Splunk/forward-internal-index-from-deployment-server/m-p/32393#M372 <P>Hi,<BR /> I have the following outputs.conf set in deployment server but the _internal index doesn't seem to be forwarded to the Indexer. What do I miss?</P> <P><STRONG>outputs.conf</STRONG></P> <PRE><CODE>[tcpout] autoLB=true autoLBFrequency=30 blockOnCloning=true compressed=false connectionTimeout=20 disabled=false&gt; dropClonedEventsOnQueueFull=5 dropEventsOnQueueFull=-1 forwardedindex.0.whitelist=.* forwardedindex.1.whitelist=_.* forwardedindex.2.whitelist=_audit forwardedindex.filter.disable=false heartbeatFrequency=30 indexAndForward=false maxConnectionsPerIndexer=2 maxFailuresPerInterval=2 maxQueueSize=500KB readTimeout=300 secsInFailureInterval=1 sendCookedData=true server=165.36.15.217:9997,165.36.15.218:9997 useACK=false writeTimeout=300 </CODE></PRE> <P>Please help.</P> <P>Thanks.</P> Mon, 12 Aug 2013 19:30:29 GMT https://community.splunk.com/t5/Monitoring-Splunk/forward-internal-index-from-deployment-server/m-p/32393#M372 ch_goh 2013-08-12T19:30:29Z https://community.splunk.com/t5/Monitoring-Splunk/forward-internal-index-from-deployment-server/m-p/32394#M373 <P>Can you try changing your <EM>forwardedindex.2</EM> line to :</P> <PRE><CODE>forwardedindex.2.whitelist = (_audit|_internal) </CODE></PRE> <P>Also, your other forwardedindex lines (0 and 1) are essentially saying any "1-character" or _"1-character" indexes should be forwarded - these are regular expressions defining the index names you want to forward.</P> <P>Alternatively, can you simplify your outputs.conf? You really only need the entries you want to override compared to what's in <EM>etc/system/default/outputs.conf</EM> - I noticed a lot of your settings are the same as what's in the default.</P> <P>So for example you could have the following much simpler version of your outputs.conf that forwards all indexes (and have this located in <EM>etc/system/local</EM> or an app's <EM>default</EM> directory's <EM>outputs.conf</EM>:</P> <PRE><CODE>[tcpout] forwardedindex.0.whitelist=.* forwardedindex.1.blacklist= forwardedindex.2.whitelist= [tcpout:splunk] server=165.36.15.217:9997,165.36.15.218:9997 autoLB=true </CODE></PRE> Wed, 14 Aug 2013 21:21:08 GMT https://community.splunk.com/t5/Monitoring-Splunk/forward-internal-index-from-deployment-server/m-p/32394#M373 jhupka 2013-08-14T21:21:08Z https://community.splunk.com/t5/Monitoring-Splunk/forward-internal-index-from-deployment-server/m-p/32395#M374 <P>It works. Thanks.</P> Thu, 15 Aug 2013 01:00:59 GMT https://community.splunk.com/t5/Monitoring-Splunk/forward-internal-index-from-deployment-server/m-p/32395#M374 ch_goh 2013-08-15T01:00:59Z https://community.splunk.com/t5/Monitoring-Splunk/forward-internal-index-from-deployment-server/m-p/32396#M375 <P>Note that the forwardedindex.whitelist.2 entry described above is the default starting with version 5.0.2, I believe.</P> Thu, 15 Aug 2013 01:22:15 GMT https://community.splunk.com/t5/Monitoring-Splunk/forward-internal-index-from-deployment-server/m-p/32396#M375 sowings 2013-08-15T01:22:15Z