Getting Data In

When blacklisting by index name in outputs.conf, what is the variable 'n' in "forwardedindex.n.blacklist = IndexName"?

sbattista09
Contributor

I see a lot of documentation for black listing by index name in outputs.conf, but I am a bit confused as to the variable of n as in forwardedindex.n.blacklist = IndexName. Would that variable just be a number I pick?

Can I blacklist as such in outputs.conf?

[syslog:stuff_syslog_group]
server = 1.1.1.1:555
forwardedindex.N.blacklist = IndexName
0 Karma
1 Solution

muebel
SplunkTrust
SplunkTrust

Hi sbattista09, By default there are white/blacklists set as such ($SPLUNKHOME/etc/system/default/outputs.conf)

[tcpout]
maxQueueSize = auto
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)

for each value of n, only a black or whitelist entry can be effectively set. If you wanted to take full control over the forwarded index config, you'd have to null out the previous settings, and reset them as you want, i.e.

 forwardedindex.0.blacklist =
 forwardedindex.0.whitelist =
 forwardedindex.1.blacklist =
 forwardedindex.1.whitelist =
 forwardedindex.2.whitelist =
 forwardedindex.2.blacklist =
 forwardedindex.0.blacklist = .*
 forwardedindex.1.blacklist = _.*
 forwardedindex.2.whitelist = someindex

Please let me know if this answers your question 😄

View solution in original post

muebel
SplunkTrust
SplunkTrust

Hi sbattista09, By default there are white/blacklists set as such ($SPLUNKHOME/etc/system/default/outputs.conf)

[tcpout]
maxQueueSize = auto
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)

for each value of n, only a black or whitelist entry can be effectively set. If you wanted to take full control over the forwarded index config, you'd have to null out the previous settings, and reset them as you want, i.e.

 forwardedindex.0.blacklist =
 forwardedindex.0.whitelist =
 forwardedindex.1.blacklist =
 forwardedindex.1.whitelist =
 forwardedindex.2.whitelist =
 forwardedindex.2.blacklist =
 forwardedindex.0.blacklist = .*
 forwardedindex.1.blacklist = _.*
 forwardedindex.2.whitelist = someindex

Please let me know if this answers your question 😄

sbattista09
Contributor

this kind of confuses me more, i would need to state a white list and a black list in my stanza?

or would this wok to?

[syslog:stuff_syslog_group]
server = 1.1.1.1:555
forwardedindex.1.blacklist = IndexName
0 Karma

woodcock
Esteemed Legend

The n has to start at 0 (not 1).

sbattista09
Contributor

so it is as simple as adding it and for each index you black list just increment the number?

[syslog:stuff_syslog_group]
server = 1.1.1.1:555
forwardedindex.0.blacklist = IndexName

0 Karma

woodcock
Esteemed Legend

Exactly +2.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...