Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to send internal logs after enabling a Splunk forwarder?

cwl
Contributor
‎11-12-2018 01:47 AM

Splunk forwarders seem to stop forwarding internal logs after enabling SplunkForwarder app.

Any idea how to forward internal logs even after enabling Splunk forwarder?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cwl
Contributor
‎11-12-2018 01:49 AM

Current issue is being caused by forwardedindex.2.whitelist parameter in SPLUNK_HOME/etc/apps/SplunkForwarder/default/outputs.conf 

[tcpout] 
... 
forwardedindex.2.whitelist = (_audit|_introspection|_telemetry) 
...

Please add below content to either in SPLUNK_HOME/etc/apps/SplunkForwarder/local/outputs.conf or SPLUNK_HOME/etc/system/local/outputs.conf to fix this issue. 

[tcpout] 
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cwl
Contributor
‎11-12-2018 01:49 AM

Current issue is being caused by forwardedindex.2.whitelist parameter in SPLUNK_HOME/etc/apps/SplunkForwarder/default/outputs.conf 

[tcpout] 
... 
forwardedindex.2.whitelist = (_audit|_introspection|_telemetry) 
...

Please add below content to either in SPLUNK_HOME/etc/apps/SplunkForwarder/local/outputs.conf or SPLUNK_HOME/etc/system/local/outputs.conf to fix this issue. 

[tcpout] 
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)
0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...