I have a universal forwarder running on a Windows Server 2008 R2 server. .../etc/system/local/inputs.conf is monitoring Windows Security, System, and Application events, with index=os-win for each (my custom index for Windows events).
.../etc/system/local/outputs.conf is forwarding Windows events to a 2 Indexer cluster (load-balanced) and cloning the same events to a Heavy Forwarder.
In the [tcpout] global stanza I have:
forwardedindex.filter.disable = false
forwardedindex.0.whitelist = os-win
The whitelist/blacklist attributes are intended to override those in the default outputs.conf so that Splunk internal indexes (e.g. _internal) do not get forwarded, only the os-win events.
However, the Indexers are still indexing events in index _internal for this host.
I would welcome any suggestions.
... View more