Getting Data In
Highlighted

How to forward all indexed data from all indexes from heavy forwarder to another instance over ssl?

New Member

I am using Splunk Free, and the Splunk add-on for AWS, attempting to index and forward generic s3 data with a custom index name to a Splunk Enterprise instance. It looks like data is being indexed, and the ssl connection is connecting, but not forwarding data. I have indexed data that shows in the web client. I am getting the following repeated output in splunkd.log

05-21-2020 10:23:16.119 -0400 INFO TcpOutputProc - Found currently active indexer. Connected to idx=ip:9998, reuse=1.
05-21-2020 10:23:25.150 -0400 INFO LMStackMgr - licensewarningsupdateinterval=auto has reached the minimum threshold 10. Will not reduce licensewarningsupdateinterval beyond this value

In outputs.conf to account for sending all indexes I used 'forwardedindex.0.whitelist = .*'

inputs.conf
[default]
host = hostname
disabled=0

outputs.conf
[tcpout]
defaultGroup = default-autolb-group
indexAndForward = true
disabled = false
forwardedindex.0.whitelist = .*

[tcpout:default-autolb-group]
compressed = true
server = ip:9998
clientCert = /opt/splunk/etc/auth/server.pem
sslPassword = passwordHere
sslRootCAPath = /opt/splunk/etc/auth/ca.pem
sslVerifyServerCert = false
sendCookedData = true

What is the required change in my forwarder configuration?

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.