All Apps and Add-ons

How to selectively not forward based on index?

hobbes3
Explorer

I have a full Splunk instance that indexes and forwards (indexAndForward = true). I also installed the *NIX app on the forwarder instance.

Now the forwarder is trying to send all of the *NIX app inputs with index = os to my indexer and my search head/indexer is giving the following warning:

Search peer splunk-id1 has the following message: received event for unconfigured/disabled/deleted index='os' with source='source::netstat' host='host::hobbes3-server' sourcetype='sourcetype::netstat' (1 missing total)

I believe the indexer is confused because there is no os index on the indexer. Beside, I don't want to forward my *NIX app inputs to the indexer anyway.

Is there a way to selectively not forward the os index?

I know this answer shows how to selectively index and forward, but it's by source. The *NIX app has about 25 inputs and I don't want to type _TCP_ROUTING 25 times in inputs.conf.

Here is my outputs.conf if that's useful for anyone:

root@hobbes3-server /opt/splunk/bin # ./splunk cmd btool outputs list --debug
/opt/splunk/etc/system/local/outputs.conf   [tcpout]
/opt/splunk/etc/system/local/outputs.conf   autoLB = true
/opt/splunk/etc/system/default/outputs.conf autoLBFrequency = 30
/opt/splunk/etc/system/default/outputs.conf blockOnCloning = true
/opt/splunk/etc/system/default/outputs.conf compressed = false
/opt/splunk/etc/system/default/outputs.conf connectionTimeout = 20
/opt/splunk/etc/system/local/outputs.conf   defaultGroup = ec2_indexers
/opt/splunk/etc/system/default/outputs.conf disabled = false
/opt/splunk/etc/system/default/outputs.conf dropClonedEventsOnQueueFull = 5
/opt/splunk/etc/system/default/outputs.conf dropEventsOnQueueFull = -1
/opt/splunk/etc/system/default/outputs.conf forceTimebasedAutoLB = false
/opt/splunk/etc/system/default/outputs.conf forwardedindex.0.whitelist = .*
/opt/splunk/etc/system/default/outputs.conf forwardedindex.1.blacklist = _.*
/opt/splunk/etc/system/default/outputs.conf forwardedindex.2.whitelist = (_audit|_internal)
/opt/splunk/etc/system/default/outputs.conf forwardedindex.filter.disable = false
/opt/splunk/etc/system/default/outputs.conf heartbeatFrequency = 30
/opt/splunk/etc/system/local/outputs.conf   indexAndForward = true
/opt/splunk/etc/system/default/outputs.conf maxConnectionsPerIndexer = 2
/opt/splunk/etc/system/default/outputs.conf maxFailuresPerInterval = 2
/opt/splunk/etc/system/local/outputs.conf   maxQueueSize = 7MB
/opt/splunk/etc/system/default/outputs.conf readTimeout = 300
/opt/splunk/etc/system/default/outputs.conf secsInFailureInterval = 1
/opt/splunk/etc/system/default/outputs.conf sendCookedData = true
/opt/splunk/etc/system/local/outputs.conf   useACK = true
/opt/splunk/etc/system/default/outputs.conf writeTimeout = 300
/opt/splunk/etc/system/local/outputs.conf   [tcpout:ec2_indexers]
/opt/splunk/etc/system/local/outputs.conf   server = aa.aa.aa.aa:9997, bb.bb.bb.bb:9997, cc.cc.cc.cc:9997, dd.dd.dd.dd:9997
1 Solution

sowings
Splunk Employee
Splunk Employee

Add an entry in your outputs.conf (in an application, or in system/local), to say "forwardedindex.3.blacklist = os". This adds to the list of filters (you'll see 0, 1 and 2), to say "don't send the os index".

View solution in original post

sowings
Splunk Employee
Splunk Employee

Add an entry in your outputs.conf (in an application, or in system/local), to say "forwardedindex.3.blacklist = os". This adds to the list of filters (you'll see 0, 1 and 2), to say "don't send the os index".

Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...