Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Forward _internal from Indexer
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If I forward the _internal index from an indexer to my management Splunk instance, the license master, I can search the _internal index.
But, if I search the main index, there are a lot of forwarded events there too that are
based on non-internal sourcetypes and sources.
Has anyone seen this before?
outputs.conf
[tcpout]
forwardedindex.0.blacklist = .*
forwardedindex.1.whitelist = _internal
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
[tcpout:management]
server = 172.20.10.35:9997
compressed = false
sendCookedData = true
inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = management
index = _internal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would expect that the main index would have forwarded non-internal sourcetypes and sources, if you're actually configuring inputs on the forwarder. The default location for forwarded non internal data is the main index. This sounds like normal behavior from my perspective.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
I am having this problem now , for the _internal data routing to the new indexer .
my problem is - I have to forward _internal index alone from a indexer to the new indexer , it should not forward all the data only _internal one.
i don't want to store this particular _internal data in this indexer, it should move to the new indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My bad. We were forwarding raw unparsed data which was hence uncooked and the resulting sourcetype pollution ensued.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My bad. Sorry, the main index on the Splunk management instance has nothing, just checked. I forward the _internal index from an indexer to this management instance and end up with a stack of non _internal index events in the main index on the management instance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would expect that the main index would have forwarded non-internal sourcetypes and sources, if you're actually configuring inputs on the forwarder. The default location for forwarded non internal data is the main index. This sounds like normal behavior from my perspective.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
