Several of my forwarders are having issues blackli...

erictodor · ‎09-19-2017

Several of my forwarders are having issues blacklisting the _internal index. On my forwarder's \etc\system\local folder, I have a outputs.conf file with the following logic

[tcpout]
defaultGroup = default-autolb-group
forwardedindex.3.blacklist = (_internal|_audit)

I use this same logic on my workstations with successful results but however, on this representative machine, even confirming that the blacklist item is being processed by the fowarder (looking at splunkd.log), it still doesn't blacklist the __internal index. I have tried a more aggressive filter (forwardedindex.3.blacklist = _.*) but that doesn't work as well. I'm a bit stumped as to where to check next as to why this is happening and how to correct.

Any help would be appreciated.

Thank you!

erictodor · ‎10-25-2017

I found that the problem end points with this issue had to do with the fact that the Forwarder version was a bit out of date. When I upgraded from 6.0 to 6.6.3, the forwarder started to play nice and follow my config file.

somesoni2 · ‎09-19-2017

From what I remember, the blacklist index should start from 0, whereas in the question it's 3. Is it a typo while posting the question or you actually have value 3 (and no 0,1,2). If it's later, try with changing it to 0.

Several of my forwarders are having issues blacklisting the _internal index

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector