Getting Data In

Why is forwardedindex in outputs.conf not working on my Windows universal forwarder?

PhilipShaunTayl
New Member

I have a universal forwarder running on a Windows Server 2008 R2 server. .../etc/system/local/inputs.conf is monitoring Windows Security, System, and Application events, with index=os-win for each (my custom index for Windows events).

.../etc/system/local/outputs.conf is forwarding Windows events to a 2 Indexer cluster (load-balanced) and cloning the same events to a Heavy Forwarder.

In the [tcpout] global stanza I have:

forwardedindex.filter.disable = false
forwardedindex.0.whitelist = os-win
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =

The whitelist/blacklist attributes are intended to override those in the default outputs.conf so that Splunk internal indexes (e.g. _internal) do not get forwarded, only the os-win events.

However, the Indexers are still indexing events in index _internal for this host.

I would welcome any suggestions.

0 Karma

somesoni2
Revered Legend

Try something like this for [tcpout] stanza on UF outputs.conf

[tcpout]
forwardedindex.filter.disable = false
forwardedindex.0.whitelist = os-win
forwardedindex.1.blacklist = *
forwardedindex.2.blacklist= _*
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...