Why is forwardedindex in outputs.conf not working ...

PhilipShaunTayl · ‎02-17-2016

I have a universal forwarder running on a Windows Server 2008 R2 server. .../etc/system/local/inputs.conf is monitoring Windows Security, System, and Application events, with index=os-win for each (my custom index for Windows events).

.../etc/system/local/outputs.conf is forwarding Windows events to a 2 Indexer cluster (load-balanced) and cloning the same events to a Heavy Forwarder.

In the [tcpout] global stanza I have:

forwardedindex.filter.disable = false
forwardedindex.0.whitelist = os-win
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =

The whitelist/blacklist attributes are intended to override those in the default outputs.conf so that Splunk internal indexes (e.g. _internal) do not get forwarded, only the os-win events.

However, the Indexers are still indexing events in index _internal for this host.

I would welcome any suggestions.

somesoni2 · ‎02-17-2016

Try something like this for [tcpout] stanza on UF outputs.conf

[tcpout]
forwardedindex.filter.disable = false
forwardedindex.0.whitelist = os-win
forwardedindex.1.blacklist = *
forwardedindex.2.blacklist= _*

Why is forwardedindex in outputs.conf not working on my Windows universal forwarder?

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Are you a member of the Splunk Community?

Why is forwardedindex in outputs.conf not working on my Windows universal forwarder?

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

See your relevant APM services, dashboards, and alerts in one place with the updated ...