Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forward _internal from Indexer

ephemeric
Contributor
‎07-19-2012 09:44 AM

Hi,

If I forward the _internal index from an indexer to my management Splunk instance, the license master, I can search the _internal index.

But, if I search the main index, there are a lot of forwarded events there too that are
based on non-internal sourcetypes and sources.

Has anyone seen this before?

outputs.conf
[tcpout]
forwardedindex.0.blacklist = .*
forwardedindex.1.whitelist = _internal
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false

[tcpout:management]
server = 172.20.10.35:9997
compressed = false
sendCookedData = true

inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = management
index = _internal

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-19-2012 09:52 AM

I would expect that the main index would have forwarded non-internal sourcetypes and sources, if you're actually configuring inputs on the forwarder. The default location for forwarded non internal data is the main index. This sounds like normal behavior from my perspective.

View solution in original post

Reply
Solved! Jump to solution

benazir
Explorer
‎02-20-2018 02:06 AM

hi,
I am having this problem now , for the _internal data routing to the new indexer .
my problem is - I have to forward _internal index alone from a indexer to the new indexer , it should not forward all the data only _internal one.

i don't want to store this particular _internal data in this indexer, it should move to the new indexers.

0 Karma
Reply
Solved! Jump to solution

ephemeric
Contributor
‎02-05-2013 01:46 AM

My bad. We were forwarding raw unparsed data which was hence uncooked and the resulting sourcetype pollution ensued.

0 Karma
Reply
Solved! Jump to solution

ephemeric
Contributor
‎07-19-2012 09:53 AM

My bad. Sorry, the main index on the Splunk management instance has nothing, just checked. I forward the _internal index from an indexer to this management instance and end up with a stack of non _internal index events in the main index on the management instance.

0 Karma
Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-19-2012 09:52 AM

I would expect that the main index would have forwarded non-internal sourcetypes and sources, if you're actually configuring inputs on the forwarder. The default location for forwarded non internal data is the main index. This sounds like normal behavior from my perspective.

Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...