Hi,
If I forward the _internal index from an indexer to my management Splunk instance, the license master, I can search the _internal index.
But, if I search the main index, there are a lot of forwarded events there too that are
based on non-internal sourcetypes and sources.
Has anyone seen this before?
outputs.conf
[tcpout]
forwardedindex.0.blacklist = .*
forwardedindex.1.whitelist = _internal
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
[tcpout:management]
server = 172.20.10.35:9997
compressed = false
sendCookedData = true
inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = management
index = _internal
I would expect that the main index would have forwarded non-internal sourcetypes and sources, if you're actually configuring inputs on the forwarder. The default location for forwarded non internal data is the main index. This sounds like normal behavior from my perspective.
hi,
I am having this problem now , for the _internal data routing to the new indexer .
my problem is - I have to forward _internal index alone from a indexer to the new indexer , it should not forward all the data only _internal one.
i don't want to store this particular _internal data in this indexer, it should move to the new indexers.
My bad. We were forwarding raw unparsed data which was hence uncooked and the resulting sourcetype pollution ensued.
My bad. Sorry, the main index on the Splunk management instance has nothing, just checked. I forward the _internal index from an indexer to this management instance and end up with a stack of non _internal index events in the main index on the management instance.
I would expect that the main index would have forwarded non-internal sourcetypes and sources, if you're actually configuring inputs on the forwarder. The default location for forwarded non internal data is the main index. This sounds like normal behavior from my perspective.