I have a universal forwarder running on a Windows Server 2008 R2 server. `.../etc/system/local/inputs.conf` is monitoring Windows Security, System, and Application events, with index=os-win for each (my custom index for Windows events).
`.../etc/system/local/outputs.conf` is forwarding Windows events to a 2 Indexer cluster (load-balanced) and cloning the same events to a Heavy Forwarder.
In the [tcpout] global stanza I have:
forwardedindex.filter.disable = false
forwardedindex.0.whitelist = os-win
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =
The whitelist/blacklist attributes are intended to override those in the default outputs.conf so that Splunk internal indexes (e.g. _internal) do not get forwarded, only the os-win events.
However, the Indexers are still indexing events in index _internal for this host.
I would welcome any suggestions.
↧