Deployment Architecture

forwardindex doesn't seem to work

sf_user_199
Path Finder

We have a search head, reporting search head, and a deployment server. I have them configured to send their internal data to our indexers.

The issue we have is that send some, but not all _internal data.

Specific issues:

-reporting search head & search head do not forward their metrics.log file

-deployment server is running the deployment monitor app. When configured to forward all it's data to the indexers, it will send enough information to the indexers so that we can use the 'all forwarders' dashboard, but none of the source or sourcetype information is sent to the indexers.

Here is our outputs.conf:

[tcpout]
defaultGroup = indexers
disabled = false
indexAndForward = 0
forwardindex.0.whitelist= _internal
forwardindex.filter.disable = false

[tcpout:indexers]
server = a,b,c,d,e
autoLB = true

Any suggestions?

1 Solution

sf_user_199
Path Finder

I'm trying this out:

http://splunk-base.splunk.com/answers/10679/how-do-i-enable-the-_internal-index-to-be-forwarded

[monitor://$SPLUNK_HOME/var/log/splunk/]
_TCP_ROUTING = * 
index = _internal

View solution in original post

0 Karma

sf_user_199
Path Finder

I'm trying this out:

http://splunk-base.splunk.com/answers/10679/how-do-i-enable-the-_internal-index-to-be-forwarded

[monitor://$SPLUNK_HOME/var/log/splunk/]
_TCP_ROUTING = * 
index = _internal
0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...