How to forward all indexed data from all indexes f...

ififitsisits · ‎05-21-2020

I am using Splunk Free, and the Splunk add-on for AWS, attempting to index and forward generic s3 data with a custom index name to a Splunk Enterprise instance. It looks like data is being indexed, and the ssl connection is connecting, but not forwarding data. I have indexed data that shows in the web client. I am getting the following repeated output in splunkd.log

05-21-2020 10:23:16.119 -0400 INFO TcpOutputProc - Found currently active indexer. Connected to idx=ip:9998, reuse=1.
05-21-2020 10:23:25.150 -0400 INFO LMStackMgr - license_warnings_update_interval=auto has reached the minimum threshold 10. Will not reduce license_warnings_update_interval beyond this value

In outputs.conf to account for sending all indexes I used 'forwardedindex.0.whitelist = .*'

inputs.conf
[default]
host = hostname
disabled=0

outputs.conf
[tcpout]
defaultGroup = default-autolb-group
indexAndForward = true
disabled = false
forwardedindex.0.whitelist = .*

[tcpout:default-autolb-group]
compressed = true
server = ip:9998
clientCert = /opt/splunk/etc/auth/server.pem
sslPassword = passwordHere
sslRootCAPath = /opt/splunk/etc/auth/ca.pem
sslVerifyServerCert = false
sendCookedData = true

What is the required change in my forwarder configuration?

How to forward all indexed data from all indexes from heavy forwarder to another instance over ssl?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation