Forwarder logs in an indexer cluster setting

asiaque_mBank · ‎08-10-2016

Hi,

I have recently started migrating our enterprise infrastructure to an indexer cluster from a previous standalone Splunk server infrastructure. Before the migration, I could see all the splunkd.logs from all forwarders in the _internal index on the server. After switching to the cluster, I can no longer see them when searching in index=_internal via the search head.
I suspect it is due to the fact that _internal is... internal, so it is not clustered among cluster nodes and therefore not searchable via the cluster search head.

What is the proper way to view them? I have splunk web disabled on cluster peers for security reasons as it was never supposed to be searched directly. It feels idiotic having this log-centralising product and not being able to see its logs in a central place.

jkat54 · ‎08-10-2016

You need a combination of outputs.conf and some settings within. An example is below. The whitelist .* says all indexes, and the the 1.blacklist overrides the already configured settings for blacklisted indexes. This should go into $SPLUNK_HOME/etc/appName/local/outputs.conf

[tcpout:INDEXERS]
server = indexer1:9997,indexer2:9997
compressed = true
autoLB = true
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =

Forwarder logs in an indexer cluster setting

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor