I am trying to forward to a third-party system from a Universal forwarder. I have tried two approaches. In both cases I am receiving a lot of unnecessary data on the third-party end. It looks like Splunk is not only forwarding the file that I am monitoring but also internal logs as well. What can I do to fix this? I am attaching conf files for both:
Approach 1: use props, transforms, and outputs
Approach 2: use inputs.conf and outputs.conf (I deleted everything from props and transforms)
forwardedindex.0.blacklist = (internal|_audit)
please go through below link for more details,
I have tried this and it didn't work. Moreover, the link said to add blacklist under a global tcp stanza only, I tried that and that didn't work either.
actually added the following lines in outputs.conf but to no avail:
forwardedindex.0.blacklist = (internal|audit|telemetry|introspection)
forwardedindex.2.blacklist = (internal|audit|telemetry|introspection)
I have figured out two ways to block internal logs from being forwarded:
use disabled=true for inputs that have to be blocked. For me, I blocked these ones, which had TCPROUTING=* set in the default inputs.conf files inside $SPLUNKHOME/etc/system/default and $SPLUNKHOME/etc/apps/SplunkUniversalForwarder/default
use the blacklist. According to the documentation, a whitelist can override a blacklist when both have the same number, and the filtering order is based on increasing number. Also, the filtering will only work under the [tcpout] stanza.
So, here, the whitelist would win
And here, the blacklist would win
From the default conf files, I figured out that there are 3 lists going from 0 to 2. So I added the following snippet in $SPLUNK_HOME/etc/system/local/outputs.conf, and it worked.
[tcpout] forwardedindex.3.blacklist = (_internal|_audit|_telemetry|_introspection)
I tried method 1, but it doesn't seem to work.
Did you put your inputs.conf somewhere else?