Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Several of my forwarders are having issues blacklisting the _internal index

erictodor
New Member
‎09-19-2017 11:53 AM

Several of my forwarders are having issues blacklisting the _internal index. On my forwarder's \etc\system\local folder, I have a outputs.conf file with the following logic

[tcpout]
defaultGroup = default-autolb-group
forwardedindex.3.blacklist = (_internal|_audit)

I use this same logic on my workstations with successful results but however, on this representative machine, even confirming that the blacklist item is being processed by the fowarder (looking at splunkd.log), it still doesn't blacklist the __internal index. I have tried a more aggressive filter (forwardedindex.3.blacklist = _.*) but that doesn't work as well. I'm a bit stumped as to where to check next as to why this is happening and how to correct.

Any help would be appreciated.

Thank you!

0 Karma
Reply

erictodor
New Member
‎10-25-2017 08:56 AM

I found that the problem end points with this issue had to do with the fact that the Forwarder version was a bit out of date. When I upgraded from 6.0 to 6.6.3, the forwarder started to play nice and follow my config file.

0 Karma
Reply

somesoni2
Revered Legend
‎09-19-2017 03:12 PM

From what I remember, the blacklist index should start from 0, whereas in the question it's 3. Is it a typo while posting the question or you actually have value 3 (and no 0,1,2). If it's later, try with changing it to 0.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...