Solved: Why am I unable to send internal logs after enabli...

cwl · ‎11-12-2018

Splunk forwarders seem to stop forwarding internal logs after enabling SplunkForwarder app.

Any idea how to forward internal logs even after enabling Splunk forwarder?

cwl · ‎11-12-2018

Current issue is being caused by forwardedindex.2.whitelist parameter in SPLUNK_HOME/etc/apps/SplunkForwarder/default/outputs.conf

[tcpout] 
... 
forwardedindex.2.whitelist = (_audit|_introspection|_telemetry) 
...

Please add below content to either in SPLUNK_HOME/etc/apps/SplunkForwarder/local/outputs.conf or SPLUNK_HOME/etc/system/local/outputs.conf to fix this issue.

[tcpout] 
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)

View solution in original post

cwl · ‎11-12-2018

Current issue is being caused by forwardedindex.2.whitelist parameter in SPLUNK_HOME/etc/apps/SplunkForwarder/default/outputs.conf

[tcpout] 
... 
forwardedindex.2.whitelist = (_audit|_introspection|_telemetry) 
...

Please add below content to either in SPLUNK_HOME/etc/apps/SplunkForwarder/local/outputs.conf or SPLUNK_HOME/etc/system/local/outputs.conf to fix this issue.

[tcpout] 
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)

Why am I unable to send internal logs after enabling a Splunk forwarder?

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

Why am I unable to send internal logs after enabling a Splunk forwarder?

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk