Getting Data In

Heavy Forwarder outputs.conf settings not working as expected

Loves-to-Learn Lots


I am having issues with my heavy forwarder getting data into my indexers without having a local indexes.conf containing the index name.

I am doing all .conf work from the cli and not the webUI.   The issue is the "forwardedindex.filter.disbale=true" is not working as expected and I have to either:

1.  Create a local copy of the index I want to send to in indexes.conf

2. Add the index name to the whitelist setting for outputs.conf

Otherwise data does not get sent to the indexers.

Assistance please.

Here is my output.conf for example:

defaultGroup = test_indexers
forwardedindex.filter.disable = true
indexAndForward = false

#server = <ip address>:<9996>
server = x.x.x.x:9996,x.x.x.x:9996
disabled = false
sslPassword = <nope>
sslCertPath = $SPLUNK_HOME
sslRootCAPath = $SPLUNK_HOME

Labels (2)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!