Getting Data In

Why is forwardedindex in outputs.conf not working on my Windows universal forwarder?

New Member

I have a universal forwarder running on a Windows Server 2008 R2 server. .../etc/system/local/inputs.conf is monitoring Windows Security, System, and Application events, with index=os-win for each (my custom index for Windows events).

.../etc/system/local/outputs.conf is forwarding Windows events to a 2 Indexer cluster (load-balanced) and cloning the same events to a Heavy Forwarder.

In the [tcpout] global stanza I have:

forwardedindex.filter.disable = false
forwardedindex.0.whitelist = os-win
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =

The whitelist/blacklist attributes are intended to override those in the default outputs.conf so that Splunk internal indexes (e.g. _internal) do not get forwarded, only the os-win events.

However, the Indexers are still indexing events in index _internal for this host.

I would welcome any suggestions.

0 Karma

Revered Legend

Try something like this for [tcpout] stanza on UF outputs.conf

[tcpout]
forwardedindex.filter.disable = false
forwardedindex.0.whitelist = os-win
forwardedindex.1.blacklist = *
forwardedindex.2.blacklist= _*
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!