Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- forward _internal index from deployment server
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have the following outputs.conf set in deployment server but the _internal index doesn't seem to be forwarded to the Indexer. What do I miss?
outputs.conf
[tcpout]
autoLB=true
autoLBFrequency=30
blockOnCloning=true
compressed=false
connectionTimeout=20
disabled=false>
dropClonedEventsOnQueueFull=5
dropEventsOnQueueFull=-1
forwardedindex.0.whitelist=.*
forwardedindex.1.whitelist=_.*
forwardedindex.2.whitelist=_audit
forwardedindex.filter.disable=false
heartbeatFrequency=30
indexAndForward=false
maxConnectionsPerIndexer=2
maxFailuresPerInterval=2
maxQueueSize=500KB
readTimeout=300
secsInFailureInterval=1
sendCookedData=true
server=165.36.15.217:9997,165.36.15.218:9997
useACK=false
writeTimeout=300
Please help.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try changing your forwardedindex.2 line to :
forwardedindex.2.whitelist = (_audit|_internal)
Also, your other forwardedindex lines (0 and 1) are essentially saying any "1-character" or _"1-character" indexes should be forwarded - these are regular expressions defining the index names you want to forward.
Alternatively, can you simplify your outputs.conf? You really only need the entries you want to override compared to what's in etc/system/default/outputs.conf - I noticed a lot of your settings are the same as what's in the default.
So for example you could have the following much simpler version of your outputs.conf that forwards all indexes (and have this located in etc/system/local or an app's default directory's outputs.conf:
[tcpout]
forwardedindex.0.whitelist=.*
forwardedindex.1.blacklist=
forwardedindex.2.whitelist=
[tcpout:splunk]
server=165.36.15.217:9997,165.36.15.218:9997
autoLB=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try changing your forwardedindex.2 line to :
forwardedindex.2.whitelist = (_audit|_internal)
Also, your other forwardedindex lines (0 and 1) are essentially saying any "1-character" or _"1-character" indexes should be forwarded - these are regular expressions defining the index names you want to forward.
Alternatively, can you simplify your outputs.conf? You really only need the entries you want to override compared to what's in etc/system/default/outputs.conf - I noticed a lot of your settings are the same as what's in the default.
So for example you could have the following much simpler version of your outputs.conf that forwards all indexes (and have this located in etc/system/local or an app's default directory's outputs.conf:
[tcpout]
forwardedindex.0.whitelist=.*
forwardedindex.1.blacklist=
forwardedindex.2.whitelist=
[tcpout:splunk]
server=165.36.15.217:9997,165.36.15.218:9997
autoLB=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Note that the forwardedindex.whitelist.2 entry described above is the default starting with version 5.0.2, I believe.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works. Thanks.
AI for AppInspect
App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community
Operationalizing Entity Risk Score with Enterprise Security 8.3+
