I am using Splunk Free, and the Splunk add-on for AWS, attempting to index and forward generic s3 data with a custom index name to a Splunk Enterprise instance. It looks like data is being indexed, and the ssl connection is connecting, but not forwarding data. I have indexed data that shows in the web client. I am getting the following repeated output in splunkd.log
05-21-2020 10:23:16.119 -0400 INFO TcpOutputProc - Found currently active indexer. Connected to idx=ip:9998, reuse=1.
05-21-2020 10:23:25.150 -0400 INFO LMStackMgr - license_warnings_update_interval=auto has reached the minimum threshold 10. Will not reduce license_warnings_update_interval beyond this value
In outputs.conf to account for sending all indexes I used 'forwardedindex.0.whitelist = .*'
inputs.conf
[default]
host = hostname
disabled=0
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
indexAndForward = true
disabled = false
forwardedindex.0.whitelist = .*
[tcpout:default-autolb-group]
compressed = true
server = ip:9998
clientCert = /opt/splunk/etc/auth/server.pem
sslPassword = passwordHere
sslRootCAPath = /opt/splunk/etc/auth/ca.pem
sslVerifyServerCert = false
sendCookedData = true
What is the required change in my forwarder configuration?