Solved: forwardindex doesn't seem to work

sf_user_199 · ‎09-01-2011

We have a search head, reporting search head, and a deployment server. I have them configured to send their internal data to our indexers.

The issue we have is that send some, but not all _internal data.

Specific issues:

-reporting search head & search head do not forward their metrics.log file

-deployment server is running the deployment monitor app. When configured to forward all it's data to the indexers, it will send enough information to the indexers so that we can use the 'all forwarders' dashboard, but none of the source or sourcetype information is sent to the indexers.

Here is our outputs.conf:

[tcpout]
defaultGroup = indexers
disabled = false
indexAndForward = 0
forwardindex.0.whitelist= _internal
forwardindex.filter.disable = false

[tcpout:indexers]
server = a,b,c,d,e
autoLB = true

Any suggestions?

sf_user_199 · ‎09-19-2011

I'm trying this out:

http://splunk-base.splunk.com/answers/10679/how-do-i-enable-the-_internal-index-to-be-forwarded

[monitor://$SPLUNK_HOME/var/log/splunk/]
_TCP_ROUTING = * 
index = _internal

View solution in original post

sf_user_199 · ‎09-19-2011

I'm trying this out:

http://splunk-base.splunk.com/answers/10679/how-do-i-enable-the-_internal-index-to-be-forwarded

[monitor://$SPLUNK_HOME/var/log/splunk/]
_TCP_ROUTING = * 
index = _internal

forwardindex doesn't seem to work

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation