Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

forward _internal index from deployment server

ch_goh
Explorer
‎08-12-2013 12:30 PM

Hi,
I have the following outputs.conf set in deployment server but the _internal index doesn't seem to be forwarded to the Indexer. What do I miss?

outputs.conf

[tcpout]
autoLB=true
autoLBFrequency=30
blockOnCloning=true
compressed=false
connectionTimeout=20
disabled=false>
dropClonedEventsOnQueueFull=5
dropEventsOnQueueFull=-1
forwardedindex.0.whitelist=.*
forwardedindex.1.whitelist=_.*
forwardedindex.2.whitelist=_audit
forwardedindex.filter.disable=false
heartbeatFrequency=30
indexAndForward=false
maxConnectionsPerIndexer=2
maxFailuresPerInterval=2
maxQueueSize=500KB
readTimeout=300
secsInFailureInterval=1
sendCookedData=true
server=165.36.15.217:9997,165.36.15.218:9997
useACK=false
writeTimeout=300

Please help.

Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jhupka
Path Finder
‎08-14-2013 02:21 PM

Can you try changing your forwardedindex.2 line to :

forwardedindex.2.whitelist = (_audit|_internal)

Also, your other forwardedindex lines (0 and 1) are essentially saying any "1-character" or _"1-character" indexes should be forwarded - these are regular expressions defining the index names you want to forward.

Alternatively, can you simplify your outputs.conf? You really only need the entries you want to override compared to what's in etc/system/default/outputs.conf - I noticed a lot of your settings are the same as what's in the default.

So for example you could have the following much simpler version of your outputs.conf that forwards all indexes (and have this located in etc/system/local or an app's default directory's outputs.conf:

[tcpout]
forwardedindex.0.whitelist=.*
forwardedindex.1.blacklist=
forwardedindex.2.whitelist=

[tcpout:splunk]
server=165.36.15.217:9997,165.36.15.218:9997
autoLB=true

View solution in original post

Reply
Solved! Jump to solution
Solution

jhupka
Path Finder
‎08-14-2013 02:21 PM

Can you try changing your forwardedindex.2 line to :

forwardedindex.2.whitelist = (_audit|_internal)

Also, your other forwardedindex lines (0 and 1) are essentially saying any "1-character" or _"1-character" indexes should be forwarded - these are regular expressions defining the index names you want to forward.

Alternatively, can you simplify your outputs.conf? You really only need the entries you want to override compared to what's in etc/system/default/outputs.conf - I noticed a lot of your settings are the same as what's in the default.

So for example you could have the following much simpler version of your outputs.conf that forwards all indexes (and have this located in etc/system/local or an app's default directory's outputs.conf:

[tcpout]
forwardedindex.0.whitelist=.*
forwardedindex.1.blacklist=
forwardedindex.2.whitelist=

[tcpout:splunk]
server=165.36.15.217:9997,165.36.15.218:9997
autoLB=true
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎08-14-2013 06:22 PM

Note that the forwardedindex.whitelist.2 entry described above is the default starting with version 5.0.2, I believe.

0 Karma
Reply
Solved! Jump to solution

ch_goh
Explorer
‎08-14-2013 06:00 PM

It works. Thanks.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...