Hmmm...just clarifying further or splitting the hair as it seems 🙂 ..or maybe need some jolt of java
ONLY after adding the custom index on my forwarder was an issue with HWF for this to work ? with receiving cluster peers

and in case i go for UF ...i dont need to add the custom index at UF level ..all i need to do is add monitor i shuld be done

really appreciate!

Unless there is a very specific reason to use regular/heavy weight forwarder(HWF), I would recommend using Universal forwarder(UF). If you use UF, you will not hit this bug. If you edit inputs.conf manually(you will need to for HWF for this case), you will need to either restart forwarder, or hit REST endpoint https://splunk-server:8089/services/data/inputs/monitor/_reload to ask splunkd to reload. Adding inputs via monitor is definitely simpler.

Hmm..bear with me 🙂

1)Normally i would not need to add indexes on the forwarder i would just add inputs

But in this case only after adding indexes on forwarder it was forwarded to the receiver index...

so are you recommending i use a universal forwarder and i will not run into this bug at all ? and just be adding inputs through add monitor command or directly edit inputs.conf it should be ok on a universal fowarder

Thanks!

1. If you are using Universal forwarder, then CLI would not throw the error. Seems like you are using regular/heavy weight forwarder, so CLI incorrectly validates and errors out. I would recommend just editing inputs.conf and specifying index. This way you can avoid adding indexes on forwarder. This is not yet addressed in 6.0.

2. Have not seen any issue specific to authentication on search head. May want to get in touch with support and upload diag. What is the specific error message reported by search head?

1 Should we be adding these custom indexes normally to a forwarder...if its a known issue with Cluster based fowarding is there a known bugid for this somewhere and is it resolved in splunk 6 ? or splunk 5.0.5?

2)Run into authetication issues at search head now ..ugh...autentication issues sis very flaky...restart or readd serach head resolves everytime hmmm confidence just dropping

Appreciate inputs

I meant you to add custom indexes on forwarder that were pushed out from master to cluster peers.

As far as data not found on cluster search head is concerned, I think those were already forwarded to main index in your previous attempt. Could you check if they are in main index?

I added indexes my custom indexes and also idx1 on forwarder and restarted the add monitor now does not fail BUT do not see nay data on the cluster search head for those indexes ...howoever the main was forwarded correctly

Appreciate pointers..did you really mean for me to add a index name idx1 on fowarder ? or only my custom indexes?

Seems like you are using Heavy weight forwarder(HWF).

Please define the index on the forwarder instance as well. The index on HWF would not take any space, but will merely allow validation to pass.
Or,
You can edit inputs.conf to add 'index=' to specific input stanza.

For Universal forwarder, we skip validation of index, so CLI with index param does not throw any error.

Seems like CLI/REST endpoint is running into validation error. You can try one of the following:

• You may want to try adding this index (splunk add index -name 'idx1') on the forwarder as well to avoid this error.

• Edit inputs.conf and for monitor stanza add 'index=idx1' param and restart. Forwarding should happen to correct index.

I will file a ticket for CLI/REST issue.

I would try to forward the data to the main index to double check the communication between the forwarder and the peers.
I would also go to the UI of every peer to Manager->Indexes and take a look if the index is visible there, enabled, and the configuration of it works fine.
You might use this:

| eventcount summarize=false index=* |
dedup index | fields index

to see if you index is seen by the search head.