I have a full Splunk instance that indexes and forwards (indexAndForward = true
). I also installed the *NIX app on the forwarder instance.
Now the forwarder is trying to send all of the *NIX app inputs with index = os
to my indexer and my search head/indexer is giving the following warning:
Search peer splunk-id1 has the following message: received event for unconfigured/disabled/deleted index='os' with source='source::netstat' host='host::hobbes3-server' sourcetype='sourcetype::netstat' (1 missing total)
I believe the indexer is confused because there is no os index on the indexer. Beside, I don't want to forward my *NIX app inputs to the indexer anyway.
Is there a way to selectively not forward the os index?
I know this answer shows how to selectively index and forward, but it's by source. The *NIX app has about 25 inputs and I don't want to type _TCP_ROUTING
25 times in inputs.conf
.
Here is my outputs.conf
if that's useful for anyone:
root@hobbes3-server /opt/splunk/bin # ./splunk cmd btool outputs list --debug
/opt/splunk/etc/system/local/outputs.conf [tcpout]
/opt/splunk/etc/system/local/outputs.conf autoLB = true
/opt/splunk/etc/system/default/outputs.conf autoLBFrequency = 30
/opt/splunk/etc/system/default/outputs.conf blockOnCloning = true
/opt/splunk/etc/system/default/outputs.conf compressed = false
/opt/splunk/etc/system/default/outputs.conf connectionTimeout = 20
/opt/splunk/etc/system/local/outputs.conf defaultGroup = ec2_indexers
/opt/splunk/etc/system/default/outputs.conf disabled = false
/opt/splunk/etc/system/default/outputs.conf dropClonedEventsOnQueueFull = 5
/opt/splunk/etc/system/default/outputs.conf dropEventsOnQueueFull = -1
/opt/splunk/etc/system/default/outputs.conf forceTimebasedAutoLB = false
/opt/splunk/etc/system/default/outputs.conf forwardedindex.0.whitelist = .*
/opt/splunk/etc/system/default/outputs.conf forwardedindex.1.blacklist = _.*
/opt/splunk/etc/system/default/outputs.conf forwardedindex.2.whitelist = (_audit|_internal)
/opt/splunk/etc/system/default/outputs.conf forwardedindex.filter.disable = false
/opt/splunk/etc/system/default/outputs.conf heartbeatFrequency = 30
/opt/splunk/etc/system/local/outputs.conf indexAndForward = true
/opt/splunk/etc/system/default/outputs.conf maxConnectionsPerIndexer = 2
/opt/splunk/etc/system/default/outputs.conf maxFailuresPerInterval = 2
/opt/splunk/etc/system/local/outputs.conf maxQueueSize = 7MB
/opt/splunk/etc/system/default/outputs.conf readTimeout = 300
/opt/splunk/etc/system/default/outputs.conf secsInFailureInterval = 1
/opt/splunk/etc/system/default/outputs.conf sendCookedData = true
/opt/splunk/etc/system/local/outputs.conf useACK = true
/opt/splunk/etc/system/default/outputs.conf writeTimeout = 300
/opt/splunk/etc/system/local/outputs.conf [tcpout:ec2_indexers]
/opt/splunk/etc/system/local/outputs.conf server = aa.aa.aa.aa:9997, bb.bb.bb.bb:9997, cc.cc.cc.cc:9997, dd.dd.dd.dd:9997
Add an entry in your outputs.conf (in an application, or in system/local), to say "forwardedindex.3.blacklist = os". This adds to the list of filters (you'll see 0, 1 and 2), to say "don't send the os index".
Add an entry in your outputs.conf (in an application, or in system/local), to say "forwardedindex.3.blacklist = os". This adds to the list of filters (you'll see 0, 1 and 2), to say "don't send the os index".