Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

forwardedindex.filter.disable = false ?

u346146
Engager
‎02-05-2012 08:58 PM

Hi there

Please refer to the outputs.conf file below,

My problem is:

I am trying to send all data to group1 and only index6 to group2.

but group 2 is getting about half of all six indexes data

what am I doing wrong?

I have read http://docs.splunk.com/Documentation/Splunk/4.3/Admin/Outputsconf

about 10 times now and I am obviously missing something but what?

**outputs.conf**

    #global settings - specifing two target groups
    [tcpout]
    defaultGroup = group1, group2
    disabled = false

    # Target group settings

    [tcpout:group1]
    server = 111.111.111.111:9997
    forwardedindex.filter.disable = true


    [tcpout:group2]
    server = 222.222.222.222:9997
    forwardedindex.filter.disable = false
    forwardedindex.0.blacklist = index1
    forwardedindex.1.blacklist = index2
    forwardedindex.2.blacklist = index3
    forwardedindex.3.blacklist = index4
    forwardedindex.4.blacklist = index5
    forwardedindex.5.whitelist = index6
Tags (1)
Reply

aafogles
Explorer
‎06-26-2014 11:35 AM

I am also having this issue. I did read that the forwardedindex.filter.disable defaults to false and that forwarderindexer.filters have to be applied the the global [tcpout], but even still, the filters do not appliy. I've tried "forwardedindex.0.blacklist= ", "forwardedindex.0.blacklist=*" (both of these included a forwardedindex.1.whitelist=) and "forwardedindex.0.blacklist=" No matter what, everything that is indexed on "Indexer1" gets indexed onto "Indexer2". Has anyone found a solution yet?

0 Karma
Reply

grijhwani
Motivator
‎07-11-2013 05:30 AM

Did you ever get this resolved? Did you consider using

$SPLUNK_HOME/bin/splunk btool outputs list

to make sure your total config was what you expected it to be?

0 Karma
Reply

gpburgett
Splunk Employee
Splunk Employee
‎04-22-2012 10:22 PM

I'm getting the same thing. No matter where I put the outputs.conf file, the filters don't seem to apply.
Now I've disable the lines in the default outputs.conf ($SPLUNK_HOME/etc/system/default/outputs.conf) that whitelist all indexes and applied the filters there and they seem to be applied properly.

0 Karma
Reply

mibrahim
Splunk Employee
Splunk Employee
‎02-06-2012 05:46 PM

Some suggestions I would make:

1 – tcpout:group1

forwardedindex.filter.disable = false
Then put the Indexes you want to forward in black and whitelist like you did for group 2. Ideally blacklisting Index6

2 – group2 looks good.

Once you make the change restart Splunk on that forwarder..

0 Karma
Reply

cwacha
Path Finder
‎02-06-2012 12:12 AM

I don't know exactly what the problem is here but we had a similar issue. Basically it turned out that

forwardedindex.filter.disable = true

was not working at all. We had to leave it on default = false and add everything to the white and blacklists.

Maybe defaultGroup = grou1, group2 might do load balancing between the two...???

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...