Solved: Re: How to selectively not forward based on index?

hobbes3 · ‎08-29-2013

I have a full Splunk instance that indexes and forwards (indexAndForward = true). I also installed the *NIX app on the forwarder instance.

Now the forwarder is trying to send all of the *NIX app inputs with index = os to my indexer and my search head/indexer is giving the following warning:

Search peer splunk-id1 has the following message: received event for unconfigured/disabled/deleted index='os' with source='source::netstat' host='host::hobbes3-server' sourcetype='sourcetype::netstat' (1 missing total)

I believe the indexer is confused because there is no os index on the indexer. Beside, I don't want to forward my *NIX app inputs to the indexer anyway.

Is there a way to selectively not forward the os index?

I know this answer shows how to selectively index and forward, but it's by source. The *NIX app has about 25 inputs and I don't want to type _TCP_ROUTING 25 times in inputs.conf.

Here is my outputs.conf if that's useful for anyone:

root@hobbes3-server /opt/splunk/bin # ./splunk cmd btool outputs list --debug
/opt/splunk/etc/system/local/outputs.conf   [tcpout]
/opt/splunk/etc/system/local/outputs.conf   autoLB = true
/opt/splunk/etc/system/default/outputs.conf autoLBFrequency = 30
/opt/splunk/etc/system/default/outputs.conf blockOnCloning = true
/opt/splunk/etc/system/default/outputs.conf compressed = false
/opt/splunk/etc/system/default/outputs.conf connectionTimeout = 20
/opt/splunk/etc/system/local/outputs.conf   defaultGroup = ec2_indexers
/opt/splunk/etc/system/default/outputs.conf disabled = false
/opt/splunk/etc/system/default/outputs.conf dropClonedEventsOnQueueFull = 5
/opt/splunk/etc/system/default/outputs.conf dropEventsOnQueueFull = -1
/opt/splunk/etc/system/default/outputs.conf forceTimebasedAutoLB = false
/opt/splunk/etc/system/default/outputs.conf forwardedindex.0.whitelist = .*
/opt/splunk/etc/system/default/outputs.conf forwardedindex.1.blacklist = _.*
/opt/splunk/etc/system/default/outputs.conf forwardedindex.2.whitelist = (_audit|_internal)
/opt/splunk/etc/system/default/outputs.conf forwardedindex.filter.disable = false
/opt/splunk/etc/system/default/outputs.conf heartbeatFrequency = 30
/opt/splunk/etc/system/local/outputs.conf   indexAndForward = true
/opt/splunk/etc/system/default/outputs.conf maxConnectionsPerIndexer = 2
/opt/splunk/etc/system/default/outputs.conf maxFailuresPerInterval = 2
/opt/splunk/etc/system/local/outputs.conf   maxQueueSize = 7MB
/opt/splunk/etc/system/default/outputs.conf readTimeout = 300
/opt/splunk/etc/system/default/outputs.conf secsInFailureInterval = 1
/opt/splunk/etc/system/default/outputs.conf sendCookedData = true
/opt/splunk/etc/system/local/outputs.conf   useACK = true
/opt/splunk/etc/system/default/outputs.conf writeTimeout = 300
/opt/splunk/etc/system/local/outputs.conf   [tcpout:ec2_indexers]
/opt/splunk/etc/system/local/outputs.conf   server = aa.aa.aa.aa:9997, bb.bb.bb.bb:9997, cc.cc.cc.cc:9997, dd.dd.dd.dd:9997

sowings · ‎08-29-2013

Add an entry in your outputs.conf (in an application, or in system/local), to say "forwardedindex.3.blacklist = os". This adds to the list of filters (you'll see 0, 1 and 2), to say "don't send the os index".

View solution in original post

sowings · ‎08-29-2013

Add an entry in your outputs.conf (in an application, or in system/local), to say "forwardedindex.3.blacklist = os". This adds to the list of filters (you'll see 0, 1 and 2), to say "don't send the os index".

How to selectively not forward based on index?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases