Solved: How to selectively not forward based on index?

hobbes3 · ‎08-29-2013

I have a full Splunk instance that indexes and forwards (indexAndForward = true). I also installed the *NIX app on the forwarder instance.

Now the forwarder is trying to send all of the *NIX app inputs with index = os to my indexer and my search head/indexer is giving the following warning:

Search peer splunk-id1 has the following message: received event for unconfigured/disabled/deleted index='os' with source='source::netstat' host='host::hobbes3-server' sourcetype='sourcetype::netstat' (1 missing total)

I believe the indexer is confused because there is no os index on the indexer. Beside, I don't want to forward my *NIX app inputs to the indexer anyway.

Is there a way to selectively not forward the os index?

I know this answer shows how to selectively index and forward, but it's by source. The *NIX app has about 25 inputs and I don't want to type _TCP_ROUTING 25 times in inputs.conf.

Here is my outputs.conf if that's useful for anyone:

root@hobbes3-server /opt/splunk/bin # ./splunk cmd btool outputs list --debug
/opt/splunk/etc/system/local/outputs.conf   [tcpout]
/opt/splunk/etc/system/local/outputs.conf   autoLB = true
/opt/splunk/etc/system/default/outputs.conf autoLBFrequency = 30
/opt/splunk/etc/system/default/outputs.conf blockOnCloning = true
/opt/splunk/etc/system/default/outputs.conf compressed = false
/opt/splunk/etc/system/default/outputs.conf connectionTimeout = 20
/opt/splunk/etc/system/local/outputs.conf   defaultGroup = ec2_indexers
/opt/splunk/etc/system/default/outputs.conf disabled = false
/opt/splunk/etc/system/default/outputs.conf dropClonedEventsOnQueueFull = 5
/opt/splunk/etc/system/default/outputs.conf dropEventsOnQueueFull = -1
/opt/splunk/etc/system/default/outputs.conf forceTimebasedAutoLB = false
/opt/splunk/etc/system/default/outputs.conf forwardedindex.0.whitelist = .*
/opt/splunk/etc/system/default/outputs.conf forwardedindex.1.blacklist = _.*
/opt/splunk/etc/system/default/outputs.conf forwardedindex.2.whitelist = (_audit|_internal)
/opt/splunk/etc/system/default/outputs.conf forwardedindex.filter.disable = false
/opt/splunk/etc/system/default/outputs.conf heartbeatFrequency = 30
/opt/splunk/etc/system/local/outputs.conf   indexAndForward = true
/opt/splunk/etc/system/default/outputs.conf maxConnectionsPerIndexer = 2
/opt/splunk/etc/system/default/outputs.conf maxFailuresPerInterval = 2
/opt/splunk/etc/system/local/outputs.conf   maxQueueSize = 7MB
/opt/splunk/etc/system/default/outputs.conf readTimeout = 300
/opt/splunk/etc/system/default/outputs.conf secsInFailureInterval = 1
/opt/splunk/etc/system/default/outputs.conf sendCookedData = true
/opt/splunk/etc/system/local/outputs.conf   useACK = true
/opt/splunk/etc/system/default/outputs.conf writeTimeout = 300
/opt/splunk/etc/system/local/outputs.conf   [tcpout:ec2_indexers]
/opt/splunk/etc/system/local/outputs.conf   server = aa.aa.aa.aa:9997, bb.bb.bb.bb:9997, cc.cc.cc.cc:9997, dd.dd.dd.dd:9997

sowings · ‎08-29-2013

Add an entry in your outputs.conf (in an application, or in system/local), to say "forwardedindex.3.blacklist = os". This adds to the list of filters (you'll see 0, 1 and 2), to say "don't send the os index".

View solution in original post

sowings · ‎08-29-2013

Add an entry in your outputs.conf (in an application, or in system/local), to say "forwardedindex.3.blacklist = os". This adds to the list of filters (you'll see 0, 1 and 2), to say "don't send the os index".

How to selectively not forward based on index?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms