I see a lot of documentation for black listing by index name in outputs.conf, but I am a bit confused as to the variable of n
as in forwardedindex.n.blacklist = IndexName
. Would that variable just be a number I pick?
Can I blacklist as such in outputs.conf?
[syslog:stuff_syslog_group]
server = 1.1.1.1:555
forwardedindex.N.blacklist = IndexName
Hi sbattista09, By default there are white/blacklists set as such ($SPLUNKHOME/etc/system/default/outputs.conf)
[tcpout]
maxQueueSize = auto
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
for each value of n, only a black or whitelist entry can be effectively set. If you wanted to take full control over the forwarded index config, you'd have to null out the previous settings, and reset them as you want, i.e.
forwardedindex.0.blacklist =
forwardedindex.0.whitelist =
forwardedindex.1.blacklist =
forwardedindex.1.whitelist =
forwardedindex.2.whitelist =
forwardedindex.2.blacklist =
forwardedindex.0.blacklist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = someindex
Please let me know if this answers your question 😄
Hi sbattista09, By default there are white/blacklists set as such ($SPLUNKHOME/etc/system/default/outputs.conf)
[tcpout]
maxQueueSize = auto
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
for each value of n, only a black or whitelist entry can be effectively set. If you wanted to take full control over the forwarded index config, you'd have to null out the previous settings, and reset them as you want, i.e.
forwardedindex.0.blacklist =
forwardedindex.0.whitelist =
forwardedindex.1.blacklist =
forwardedindex.1.whitelist =
forwardedindex.2.whitelist =
forwardedindex.2.blacklist =
forwardedindex.0.blacklist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = someindex
Please let me know if this answers your question 😄
this kind of confuses me more, i would need to state a white list and a black list in my stanza?
or would this wok to?
[syslog:stuff_syslog_group]
server = 1.1.1.1:555
forwardedindex.1.blacklist = IndexName
The n
has to start at 0
(not 1
).
so it is as simple as adding it and for each index you black list just increment the number?
[syslog:stuff_syslog_group]
server = 1.1.1.1:555
forwardedindex.0.blacklist = IndexName
Exactly +2.