Hi there
Please refer to the outputs.conf file below,
My problem is:
I am trying to send all data to group1 and only index6 to group2.
but group 2 is getting about half of all six indexes data
what am I doing wrong?
I have read http://docs.splunk.com/Documentation/Splunk/4.3/Admin/Outputsconf
about 10 times now and I am obviously missing something but what?
**outputs.conf**
#global settings - specifing two target groups
[tcpout]
defaultGroup = group1, group2
disabled = false
# Target group settings
[tcpout:group1]
server = 111.111.111.111:9997
forwardedindex.filter.disable = true
[tcpout:group2]
server = 222.222.222.222:9997
forwardedindex.filter.disable = false
forwardedindex.0.blacklist = index1
forwardedindex.1.blacklist = index2
forwardedindex.2.blacklist = index3
forwardedindex.3.blacklist = index4
forwardedindex.4.blacklist = index5
forwardedindex.5.whitelist = index6
I am also having this issue. I did read that the forwardedindex.filter.disable defaults to false and that forwarderindexer.filters have to be applied the the global [tcpout], but even still, the filters do not appliy. I've tried "forwardedindex.0.blacklist= ", "forwardedindex.0.blacklist=*" (both of these included a forwardedindex.1.whitelist=
Did you ever get this resolved? Did you consider using
$SPLUNK_HOME/bin/splunk btool outputs list
to make sure your total config was what you expected it to be?
I'm getting the same thing. No matter where I put the outputs.conf file, the filters don't seem to apply.
Now I've disable the lines in the default outputs.conf ($SPLUNK_HOME/etc/system/default/outputs.conf) that whitelist all indexes and applied the filters there and they seem to be applied properly.
Some suggestions I would make:
1 – tcpout:group1
forwardedindex.filter.disable = false
Then put the Indexes you want to forward in black and whitelist like you did for group 2. Ideally blacklisting Index6
2 – group2 looks good.
Once you make the change restart Splunk on that forwarder..
I don't know exactly what the problem is here but we had a similar issue. Basically it turned out that
forwardedindex.filter.disable = true
was not working at all. We had to leave it on default = false and add everything to the white and blacklists.
Maybe defaultGroup = grou1, group2
might do load balancing between the two...???