Hello
On a heavy forwarder, I am trying to index some files locally and forward other files to a remote machine (what remains locally should not be forwarded and vice-versa, what is forwarded should not be indexed locally).
I am trying to achieve this with two classes:
**1) local**
inputs.conf
[default] host = servername
[splunktcp://9997]
[monitor:///mnt/local_logs/*.log]
_INDEX_AND_FORWARD_ROUTING = local index=local
outputs.conf --> EMPTY
**2) remote**
outputs.conf
[tcpout]
forwardedindex.filter.disable = false
indexAndForward = true
forwardedindex.0.whitelist = dvo
forwardedindex.1.blacklist = .
[indexAndForward]
selectiveIndexing = true
index = true
[tcpout:shared_indexers]
server = remote_server:9997
inputs.conf
[monitor:///mnt/logs/*wf.log$]
_TCP_ROUTING = shared_indexers
index = dvo
sourcetype = logs_dvo
crcSalt =
on the remote instance I see the entry below in the logs, which shows that the the logs which are in the "local" index are also forwarded (which I am trying to avoid)
05-20-2016 07:35:34.649 +0200 WARN IndexProcessor - received event for unconfigured/disabled/deleted index='local' with source='source::/mnt/local_logs/out.log' host='host::localmachine' sourcetype='sourcetype::local_log' (1 missing total)
How can I really block one index from being forwarded?
thanks
↧