Why is forwardedindex in outputs.conf not working ...

PhilipShaunTayl · ‎02-17-2016

I have a universal forwarder running on a Windows Server 2008 R2 server. .../etc/system/local/inputs.conf is monitoring Windows Security, System, and Application events, with index=os-win for each (my custom index for Windows events).

.../etc/system/local/outputs.conf is forwarding Windows events to a 2 Indexer cluster (load-balanced) and cloning the same events to a Heavy Forwarder.

In the [tcpout] global stanza I have:

forwardedindex.filter.disable = false
forwardedindex.0.whitelist = os-win
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =

The whitelist/blacklist attributes are intended to override those in the default outputs.conf so that Splunk internal indexes (e.g. _internal) do not get forwarded, only the os-win events.

However, the Indexers are still indexing events in index _internal for this host.

I would welcome any suggestions.

somesoni2 · ‎02-17-2016

Try something like this for [tcpout] stanza on UF outputs.conf

[tcpout]
forwardedindex.filter.disable = false
forwardedindex.0.whitelist = os-win
forwardedindex.1.blacklist = *
forwardedindex.2.blacklist= _*

Why is forwardedindex in outputs.conf not working on my Windows universal forwarder?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Why is forwardedindex in outputs.conf not working on my Windows universal forwarder?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem