Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

forwardedindex.filter.disable = false ?

u346146
Engager
‎02-05-2012 08:58 PM

Hi there

Please refer to the outputs.conf file below,

My problem is:

I am trying to send all data to group1 and only index6 to group2.

but group 2 is getting about half of all six indexes data

what am I doing wrong?

I have read http://docs.splunk.com/Documentation/Splunk/4.3/Admin/Outputsconf

about 10 times now and I am obviously missing something but what?

**outputs.conf**

    #global settings - specifing two target groups
    [tcpout]
    defaultGroup = group1, group2
    disabled = false

    # Target group settings

    [tcpout:group1]
    server = 111.111.111.111:9997
    forwardedindex.filter.disable = true


    [tcpout:group2]
    server = 222.222.222.222:9997
    forwardedindex.filter.disable = false
    forwardedindex.0.blacklist = index1
    forwardedindex.1.blacklist = index2
    forwardedindex.2.blacklist = index3
    forwardedindex.3.blacklist = index4
    forwardedindex.4.blacklist = index5
    forwardedindex.5.whitelist = index6
Tags (1)
Reply

aafogles
Explorer
‎06-26-2014 11:35 AM

I am also having this issue. I did read that the forwardedindex.filter.disable defaults to false and that forwarderindexer.filters have to be applied the the global [tcpout], but even still, the filters do not appliy. I've tried "forwardedindex.0.blacklist= ", "forwardedindex.0.blacklist=*" (both of these included a forwardedindex.1.whitelist=) and "forwardedindex.0.blacklist=" No matter what, everything that is indexed on "Indexer1" gets indexed onto "Indexer2". Has anyone found a solution yet?

0 Karma
Reply

grijhwani
Motivator
‎07-11-2013 05:30 AM

Did you ever get this resolved? Did you consider using

$SPLUNK_HOME/bin/splunk btool outputs list

to make sure your total config was what you expected it to be?

0 Karma
Reply

gpburgett
Splunk Employee
Splunk Employee
‎04-22-2012 10:22 PM

I'm getting the same thing. No matter where I put the outputs.conf file, the filters don't seem to apply.
Now I've disable the lines in the default outputs.conf ($SPLUNK_HOME/etc/system/default/outputs.conf) that whitelist all indexes and applied the filters there and they seem to be applied properly.

0 Karma
Reply

mibrahim
Splunk Employee
Splunk Employee
‎02-06-2012 05:46 PM

Some suggestions I would make:

1 – tcpout:group1

forwardedindex.filter.disable = false
Then put the Indexes you want to forward in black and whitelist like you did for group 2. Ideally blacklisting Index6

2 – group2 looks good.

Once you make the change restart Splunk on that forwarder..

0 Karma
Reply

cwacha
Path Finder
‎02-06-2012 12:12 AM

I don't know exactly what the problem is here but we had a similar issue. Basically it turned out that

forwardedindex.filter.disable = true

was not working at all. We had to leave it on default = false and add everything to the white and blacklists.

Maybe defaultGroup = grou1, group2 might do load balancing between the two...???

Reply
Register for .conf25!
Get Updates on the Splunk Community!

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
li.common.scroll-to.top