Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ForwarderInfo log events after upgrader to 5.0.1

tlabue
Path Finder
‎03-15-2013 07:47 AM

After we upgraded from 4.3.4 to 5.0.1, in out Splunk output streams we started receiving the following unwanted events:

ForwardInfo build=143156 version=5.0.1 os=Linux arch=x86_64 hostname=<serverName> guid=A5E34FA-C8AC-4A52-A59B-5660FDA25F94 fwdType=full ssl=false lastIndexer=None

We are sending the output streams to another application which packages them for delivery to a Splunk instance on another isolated network.

Here are some snippets from our outputs.conf

[tcpout]
indexAndForward = true
defaultGroup = nothing

[tcp:nothing]
disabled = false
server = <false server name>
dropEventsonQueueFull = 1

[tcp:server1]
server = appserver1:port, appserver2:port
autoLBFrequency = 88
sendCookedData = false
heartbeatFrequency = 0

[tcp:server2]
....

This allows outputs events by server and allows us to keep this data separated into different files for events coming from different servers.

We have tried some other permutations:
a. Removing the defaultGroup
This removed the ForwarderInfo messages, but added audit log messages, which were more frequent
b. Remove the defaultGroup and add whitelist and blacklist to the tcpout stanza

forwaderindex.0.whitelist = .*
forwaderindex.1.blacklist = _.*
forwaderindex.2.whitelist = _whatever

This removed the audit logs and ForwardInfo events, but now all log events went to each output file, which is not what we are looking for either.

Anyone have any idea on removing the ForwarderInfo without adding anything to the stream?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tlabue
Path Finder
‎02-19-2014 07:35 AM

We found out by setting by disabling the default tcp stanza, we stopped getting the ForwarderInfo lines.

[tcp:nothing]
disabled = true
server =
dropEventsonQueueFull = 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tlabue
Path Finder
‎02-19-2014 07:35 AM

We found out by setting by disabling the default tcp stanza, we stopped getting the ForwarderInfo lines.

[tcp:nothing]
disabled = true
server =
dropEventsonQueueFull = 1

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...