Getting Data In

Why is forwardedindex in outputs.conf not working on my Windows universal forwarder?

PhilipShaunTayl
New Member

I have a universal forwarder running on a Windows Server 2008 R2 server. .../etc/system/local/inputs.conf is monitoring Windows Security, System, and Application events, with index=os-win for each (my custom index for Windows events).

.../etc/system/local/outputs.conf is forwarding Windows events to a 2 Indexer cluster (load-balanced) and cloning the same events to a Heavy Forwarder.

In the [tcpout] global stanza I have:

forwardedindex.filter.disable = false
forwardedindex.0.whitelist = os-win
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =

The whitelist/blacklist attributes are intended to override those in the default outputs.conf so that Splunk internal indexes (e.g. _internal) do not get forwarded, only the os-win events.

However, the Indexers are still indexing events in index _internal for this host.

I would welcome any suggestions.

0 Karma

somesoni2
Revered Legend

Try something like this for [tcpout] stanza on UF outputs.conf

[tcpout]
forwardedindex.filter.disable = false
forwardedindex.0.whitelist = os-win
forwardedindex.1.blacklist = *
forwardedindex.2.blacklist= _*