Knowledge Management

Forwardedindex Whitelist Routing

ephemeric
Contributor

Greetz,

We have two summary indexes we would like to forward, so on Splunk 5.0.3:

[tcpout]

indexAndForward = true

defaultGroup = Client1, Client2

maxQueueSize = 7MB

useACK = true

# RTFM says below to disable defaults:

forwardedindex.0.whitelist =

forwardedindex.1.blacklist =

forwardedindex.2.whitelist =

# Then custom.

forwardedindex.0.blacklist = .*

forwardedindex.1.whitelist = .*_ext_summary

[tcpout:Client1]

server = 172.nn.nn.nn:9997

[tcpout:Client2]

server = 172.nn.nn.nn:9997

As per RTFM, whitelisting only allowed in top stanza.

At the moment, both groups get all forwarded summary indexes which is not what we want.

Is it possible to TCP route via a group for a whitelisted forwardedindex?

I have done _TCP_ROUTING for an input but don't see anything for an index?

We want to send client1_ext_summary out via Client1 group and client2_ext_summary out via Client2 group.

Thank you.

0 Karma

SarahSplunk123
Explorer

Hello,

You could do this via routing data from your indexes through props/transforms.conf to the outputs.conf.

Best regards

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...