Solved: forwardindex doesn't seem to work

sf_user_199 · ‎09-01-2011

We have a search head, reporting search head, and a deployment server. I have them configured to send their internal data to our indexers.

The issue we have is that send some, but not all _internal data.

Specific issues:

-reporting search head & search head do not forward their metrics.log file

-deployment server is running the deployment monitor app. When configured to forward all it's data to the indexers, it will send enough information to the indexers so that we can use the 'all forwarders' dashboard, but none of the source or sourcetype information is sent to the indexers.

Here is our outputs.conf:

[tcpout]
defaultGroup = indexers
disabled = false
indexAndForward = 0
forwardindex.0.whitelist= _internal
forwardindex.filter.disable = false

[tcpout:indexers]
server = a,b,c,d,e
autoLB = true

Any suggestions?

sf_user_199 · ‎09-19-2011

I'm trying this out:

http://splunk-base.splunk.com/answers/10679/how-do-i-enable-the-_internal-index-to-be-forwarded

[monitor://$SPLUNK_HOME/var/log/splunk/]
_TCP_ROUTING = * 
index = _internal

View solution in original post

sf_user_199 · ‎09-19-2011

I'm trying this out:

http://splunk-base.splunk.com/answers/10679/how-do-i-enable-the-_internal-index-to-be-forwarded

[monitor://$SPLUNK_HOME/var/log/splunk/]
_TCP_ROUTING = * 
index = _internal

forwardindex doesn't seem to work

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...