Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Index internal logs locally and forward all other logs

k31453
Explorer
‎11-24-2020 09:42 PM

As title suggest, i want to index internal logs only and forwards all other logs to forwarders or idxs.

Here is the setup :

  • I have one cluster and three indexes setup seperately outside cluster.
  • Cluster has CM, SH and three indexers.
  • Those Three indexers i want to use as Heavy forwarder to send all logs out to external indexes

Following is default output.conf:

[tcpout]
maxQueueSize = auto
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup)
forwardedindex.filter.disable = false
indexAndForward = false

Here is what I have done outputs.conf

 

[tcpout]
defaultGroup=noforward
disabled=false

[indexAndForward]
index=true
selectiveIndexing=true

[tcpout:forwarders]
server:<forwarders>:9997

 

 

 
Below is my props.conf

 

 

[default]
TRANSFORMS-forwardit = forwardit

[host::*.foo.splunk.com]
TRANSFORMS-routing = indexing

 

 


Below is transforms.conf

 

 

[forwardit]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = forwarders

[indexing]
REGEX = .
DEST_KEY = _INDEX_AND_FORWARD_ROUTING
FORMAT = local

 

 

 
Essentially all internal indexes should stay within cluster indexes but rest of index or logs forwarded to external indexes.

Labels (2)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎11-25-2020 10:57 PM

@k31453 

I believe you are looking for below: Note: you can only index _internal logs using this method.

https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Selective_indexing...

 

————————————
If this helps, give a like below.
0 Karma
Reply

k31453
Explorer
‎11-26-2020 04:48 PM

Well. This tells me i have to use inputs.conf to ensure routing. By default I want to forward logs. But if i see internal logs i will index it and not forward it. This basically is telling me i have to put _INDEX_AND_FORWARD_ROUTING on all internal inputs.conf this can cause the issue. 

0 Karma
Reply

k31453
Explorer
‎11-25-2020 04:21 PM

For me by default i want to forward new indexes created and internal indexes has to be indexed locally. My thoughts is , setup tcpgroup for forwarders and in outputs.conf and inputs.conf i should modify but not sure how.

0 Karma
Reply

k31453
Explorer
‎11-25-2020 03:57 PM

Hi, if the intention is to index all internal indexes, i have set _INDEX_AND_FORWARD_ROUTING and 

_TCP_ROUTING which can cause the issue.

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎11-24-2020 10:06 PM

@k31453 

The Splunk Doc is very much detailed on the question you have asked. check it out using below link.

https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Perform_selective_...

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...