Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ForwarderInfo log events after upgrader to 5.0.1

tlabue
Path Finder
‎03-15-2013 07:47 AM

After we upgraded from 4.3.4 to 5.0.1, in out Splunk output streams we started receiving the following unwanted events:

ForwardInfo build=143156 version=5.0.1 os=Linux arch=x86_64 hostname=<serverName> guid=A5E34FA-C8AC-4A52-A59B-5660FDA25F94 fwdType=full ssl=false lastIndexer=None

We are sending the output streams to another application which packages them for delivery to a Splunk instance on another isolated network.

Here are some snippets from our outputs.conf

[tcpout]
indexAndForward = true
defaultGroup = nothing

[tcp:nothing]
disabled = false
server = <false server name>
dropEventsonQueueFull = 1

[tcp:server1]
server = appserver1:port, appserver2:port
autoLBFrequency = 88
sendCookedData = false
heartbeatFrequency = 0

[tcp:server2]
....

This allows outputs events by server and allows us to keep this data separated into different files for events coming from different servers.

We have tried some other permutations:
a. Removing the defaultGroup
This removed the ForwarderInfo messages, but added audit log messages, which were more frequent
b. Remove the defaultGroup and add whitelist and blacklist to the tcpout stanza

forwaderindex.0.whitelist = .*
forwaderindex.1.blacklist = _.*
forwaderindex.2.whitelist = _whatever

This removed the audit logs and ForwardInfo events, but now all log events went to each output file, which is not what we are looking for either.

Anyone have any idea on removing the ForwarderInfo without adding anything to the stream?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tlabue
Path Finder
‎02-19-2014 07:35 AM

We found out by setting by disabling the default tcp stanza, we stopped getting the ForwarderInfo lines.

[tcp:nothing]
disabled = true
server =
dropEventsonQueueFull = 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tlabue
Path Finder
‎02-19-2014 07:35 AM

We found out by setting by disabling the default tcp stanza, we stopped getting the ForwarderInfo lines.

[tcp:nothing]
disabled = true
server =
dropEventsonQueueFull = 1

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...