Re: Splunk Forwarder logs to Splunk Indexer

ssankeneni · ‎04-17-2013

Do SplunkForwarder forward the metrics.log to the Splunk indexer automatically? I can see the splunkd.log files but not metrics.log file

sbrice36 · ‎05-04-2015

This must have been updated with 6.2.1/6.2.2, I now see the following entry by default in "etc\apps\SplunkUniversalForwarder\default"

[monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]
_TCP_ROUTING = *
index = _internal

So both splunkd.log and metrics.log are now being forwarded to _internal

dstuder · ‎12-28-2018

I see that in the forwarder app but I also see this in etc/system/default/input.conf which appears to be sending not only the .log files but also the rolled over log files such as .log.1, .log.2, etc.

[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal

yannK · ‎09-25-2014

By default, universal and lightweight forwarders are not forwarding the metrics.log, only splunkd.log.

You can bypass this and force the metrics.log to be forwarded with an inputs.conf like

[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
index=_internal
_TCP_ROUTING = *

sowings · ‎05-23-2014

No, the metrics.log isn't forwarded automatically. Only the splunkd.log receives a special exception. If you look at the documentation for inputs.conf here, it says explicitly:

* To forward data from the "_internal" index, _TCP_ROUTING must explicitly be set to either "*" or a specific splunktcp target group.

The splunkd.log has this setting, but the general directory $SPLUNK_HOME/var/log/splunk does not. You'll have to create a local inputs.conf (in a small config app, or in system/local) containing:

[monitor://$SPLUNK_HOME/var/log/splunk] _TCP_ROUTING = *

Once this is in place, restart your forwarder.

Splunk Forwarder logs to Splunk Indexer

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability