Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

forwardedindex.filter.disable = false ?

u346146
Engager
‎02-05-2012 08:58 PM

Hi there

Please refer to the outputs.conf file below,

My problem is:

I am trying to send all data to group1 and only index6 to group2.

but group 2 is getting about half of all six indexes data

what am I doing wrong?

I have read http://docs.splunk.com/Documentation/Splunk/4.3/Admin/Outputsconf

about 10 times now and I am obviously missing something but what?

**outputs.conf**

    #global settings - specifing two target groups
    [tcpout]
    defaultGroup = group1, group2
    disabled = false

    # Target group settings

    [tcpout:group1]
    server = 111.111.111.111:9997
    forwardedindex.filter.disable = true


    [tcpout:group2]
    server = 222.222.222.222:9997
    forwardedindex.filter.disable = false
    forwardedindex.0.blacklist = index1
    forwardedindex.1.blacklist = index2
    forwardedindex.2.blacklist = index3
    forwardedindex.3.blacklist = index4
    forwardedindex.4.blacklist = index5
    forwardedindex.5.whitelist = index6
Tags (1)
Reply

aafogles
Explorer
‎06-26-2014 11:35 AM

I am also having this issue. I did read that the forwardedindex.filter.disable defaults to false and that forwarderindexer.filters have to be applied the the global [tcpout], but even still, the filters do not appliy. I've tried "forwardedindex.0.blacklist= ", "forwardedindex.0.blacklist=*" (both of these included a forwardedindex.1.whitelist=) and "forwardedindex.0.blacklist=" No matter what, everything that is indexed on "Indexer1" gets indexed onto "Indexer2". Has anyone found a solution yet?

0 Karma
Reply

grijhwani
Motivator
‎07-11-2013 05:30 AM

Did you ever get this resolved? Did you consider using

$SPLUNK_HOME/bin/splunk btool outputs list

to make sure your total config was what you expected it to be?

0 Karma
Reply

gpburgett
Splunk Employee
Splunk Employee
‎04-22-2012 10:22 PM

I'm getting the same thing. No matter where I put the outputs.conf file, the filters don't seem to apply.
Now I've disable the lines in the default outputs.conf ($SPLUNK_HOME/etc/system/default/outputs.conf) that whitelist all indexes and applied the filters there and they seem to be applied properly.

0 Karma
Reply

mibrahim
Splunk Employee
Splunk Employee
‎02-06-2012 05:46 PM

Some suggestions I would make:

1 – tcpout:group1

forwardedindex.filter.disable = false
Then put the Indexes you want to forward in black and whitelist like you did for group 2. Ideally blacklisting Index6

2 – group2 looks good.

Once you make the change restart Splunk on that forwarder..

0 Karma
Reply

cwacha
Path Finder
‎02-06-2012 12:12 AM

I don't know exactly what the problem is here but we had a similar issue. Basically it turned out that

forwardedindex.filter.disable = true

was not working at all. We had to leave it on default = false and add everything to the white and blacklists.

Maybe defaultGroup = grou1, group2 might do load balancing between the two...???

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...