Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to forward all indexed data from all indexes from heavy forwarder to another instance over ssl?

ififitsisits
New Member
‎05-21-2020 07:45 AM

I am using Splunk Free, and the Splunk add-on for AWS, attempting to index and forward generic s3 data with a custom index name to a Splunk Enterprise instance. It looks like data is being indexed, and the ssl connection is connecting, but not forwarding data. I have indexed data that shows in the web client. I am getting the following repeated output in splunkd.log

05-21-2020 10:23:16.119 -0400 INFO TcpOutputProc - Found currently active indexer. Connected to idx=ip:9998, reuse=1.
05-21-2020 10:23:25.150 -0400 INFO LMStackMgr - license_warnings_update_interval=auto has reached the minimum threshold 10. Will not reduce license_warnings_update_interval beyond this value

In outputs.conf to account for sending all indexes I used 'forwardedindex.0.whitelist = .*'

inputs.conf
[default]
host = hostname
disabled=0

outputs.conf
[tcpout]
defaultGroup = default-autolb-group
indexAndForward = true
disabled = false
forwardedindex.0.whitelist = .*

[tcpout:default-autolb-group]
compressed = true
server = ip:9998
clientCert = /opt/splunk/etc/auth/server.pem
sslPassword = passwordHere
sslRootCAPath = /opt/splunk/etc/auth/ca.pem
sslVerifyServerCert = false
sendCookedData = true

What is the required change in my forwarder configuration?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...