All Apps and Add-ons

How to selectively not forward based on index?

hobbes3
Explorer

I have a full Splunk instance that indexes and forwards (indexAndForward = true). I also installed the *NIX app on the forwarder instance.

Now the forwarder is trying to send all of the *NIX app inputs with index = os to my indexer and my search head/indexer is giving the following warning:

Search peer splunk-id1 has the following message: received event for unconfigured/disabled/deleted index='os' with source='source::netstat' host='host::hobbes3-server' sourcetype='sourcetype::netstat' (1 missing total)

I believe the indexer is confused because there is no os index on the indexer. Beside, I don't want to forward my *NIX app inputs to the indexer anyway.

Is there a way to selectively not forward the os index?

I know this answer shows how to selectively index and forward, but it's by source. The *NIX app has about 25 inputs and I don't want to type _TCP_ROUTING 25 times in inputs.conf.

Here is my outputs.conf if that's useful for anyone:

root@hobbes3-server /opt/splunk/bin # ./splunk cmd btool outputs list --debug
/opt/splunk/etc/system/local/outputs.conf   [tcpout]
/opt/splunk/etc/system/local/outputs.conf   autoLB = true
/opt/splunk/etc/system/default/outputs.conf autoLBFrequency = 30
/opt/splunk/etc/system/default/outputs.conf blockOnCloning = true
/opt/splunk/etc/system/default/outputs.conf compressed = false
/opt/splunk/etc/system/default/outputs.conf connectionTimeout = 20
/opt/splunk/etc/system/local/outputs.conf   defaultGroup = ec2_indexers
/opt/splunk/etc/system/default/outputs.conf disabled = false
/opt/splunk/etc/system/default/outputs.conf dropClonedEventsOnQueueFull = 5
/opt/splunk/etc/system/default/outputs.conf dropEventsOnQueueFull = -1
/opt/splunk/etc/system/default/outputs.conf forceTimebasedAutoLB = false
/opt/splunk/etc/system/default/outputs.conf forwardedindex.0.whitelist = .*
/opt/splunk/etc/system/default/outputs.conf forwardedindex.1.blacklist = _.*
/opt/splunk/etc/system/default/outputs.conf forwardedindex.2.whitelist = (_audit|_internal)
/opt/splunk/etc/system/default/outputs.conf forwardedindex.filter.disable = false
/opt/splunk/etc/system/default/outputs.conf heartbeatFrequency = 30
/opt/splunk/etc/system/local/outputs.conf   indexAndForward = true
/opt/splunk/etc/system/default/outputs.conf maxConnectionsPerIndexer = 2
/opt/splunk/etc/system/default/outputs.conf maxFailuresPerInterval = 2
/opt/splunk/etc/system/local/outputs.conf   maxQueueSize = 7MB
/opt/splunk/etc/system/default/outputs.conf readTimeout = 300
/opt/splunk/etc/system/default/outputs.conf secsInFailureInterval = 1
/opt/splunk/etc/system/default/outputs.conf sendCookedData = true
/opt/splunk/etc/system/local/outputs.conf   useACK = true
/opt/splunk/etc/system/default/outputs.conf writeTimeout = 300
/opt/splunk/etc/system/local/outputs.conf   [tcpout:ec2_indexers]
/opt/splunk/etc/system/local/outputs.conf   server = aa.aa.aa.aa:9997, bb.bb.bb.bb:9997, cc.cc.cc.cc:9997, dd.dd.dd.dd:9997
1 Solution

sowings
Splunk Employee
Splunk Employee

Add an entry in your outputs.conf (in an application, or in system/local), to say "forwardedindex.3.blacklist = os". This adds to the list of filters (you'll see 0, 1 and 2), to say "don't send the os index".

View solution in original post

sowings
Splunk Employee
Splunk Employee

Add an entry in your outputs.conf (in an application, or in system/local), to say "forwardedindex.3.blacklist = os". This adds to the list of filters (you'll see 0, 1 and 2), to say "don't send the os index".

Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...