Splunk Enterprise

How do I enable the _internal index to be forwarded?

jambajuice
Communicator

I have a few hundred forwarders that are not indexing locally. I would like to centralize monitoring of splunkd logs. How can I tell those servers to forward events (or specific events like error messages) to the central indexer?

I also want to confirm that those logs don't count against the license, right?

Thanks.

Craig

Tags (1)
1 Solution

bpadmanbhachari
Splunk Employee
Splunk Employee

You can check out for below link for forwarding all internal logs or specific index alone.
https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad#Forward_all_extern...

This will not count against the license usage

View solution in original post

bpadmanbhachari
Splunk Employee
Splunk Employee

You can check out for below link for forwarding all internal logs or specific index alone.
https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad#Forward_all_extern...

This will not count against the license usage

jkerai
Splunk Employee
Splunk Employee

You can add the following entry in etc/system/local/inputs.conf to forward logs to indexers.

[monitor://$SPLUNK_HOME/var/log/splunk/splunk.log]
_TCP_ROUTING = * 
index = _internal

Yes, it does not count against the license.

sloshburch
Splunk Employee
Splunk Employee

Did anyone figure out how to confirm that they are not counting against the license? I'm not that bright and it's possible I set up my confs wrong so I want to make sure it's not counting against the license.

0 Karma

tedder
Communicator

There were rumors that _TCP_ROUTING was not needed in the 4.1 world, but I can confirm that it's necessary. You can also monitor the whole directory- remove "/splunk.log" from the monitor stanza. In the 4.1 world, the _TCP_ROUTING was supposedly supplanted by adding "forwardedindex.filter.disable = FALSE" to outputs.conf. However, that doesn't fix it. So jkerai's solution is correct.

I just went through this misery yesterday!

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...