- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Forward _internal from Indexer
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If I forward the _internal index from an indexer to my management Splunk instance, the license master, I can search the _internal index.
But, if I search the main index, there are a lot of forwarded events there too that are
based on non-internal sourcetypes and sources.
Has anyone seen this before?
outputs.conf
[tcpout]
forwardedindex.0.blacklist = .*
forwardedindex.1.whitelist = _internal
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
[tcpout:management]
server = 172.20.10.35:9997
compressed = false
sendCookedData = true
inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = management
index = _internal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would expect that the main index would have forwarded non-internal sourcetypes and sources, if you're actually configuring inputs on the forwarder. The default location for forwarded non internal data is the main index. This sounds like normal behavior from my perspective.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
I am having this problem now , for the _internal data routing to the new indexer .
my problem is - I have to forward _internal index alone from a indexer to the new indexer , it should not forward all the data only _internal one.
i don't want to store this particular _internal data in this indexer, it should move to the new indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My bad. We were forwarding raw unparsed data which was hence uncooked and the resulting sourcetype pollution ensued.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My bad. Sorry, the main index on the Splunk management instance has nothing, just checked. I forward the _internal index from an indexer to this management instance and end up with a stack of non _internal index events in the main index on the management instance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would expect that the main index would have forwarded non-internal sourcetypes and sources, if you're actually configuring inputs on the forwarder. The default location for forwarded non internal data is the main index. This sounds like normal behavior from my perspective.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
