Getting Data In

Changed outputs.conf, but why is my Universal Forwarder still sending to the old server, even after a restart?

nce054
Path Finder

I've changed the outputs.conf file on my Universal Forwarder to direct to a different server, and restarted the service. However, I am still receiving the same data on the old server, and nothing on the new server. Am I changing the wrong file? It's in $SPLUNK_HOME\etc\system\local.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Can you please check from which outputs.conf your universal forwarder is taking configuration?

Use below command on universal forwarder, it will display the result, from which file your parameter for outputs.conf is taking value.

$SPLUNK_HOME/bin/splunk cmd btool outputs --debug list

Thanks,
Harshil

0 Karma

nce054
Path Finder

I did this, and the new server is listed as the tcp-out. However, it isn't receiving anything yet, and my old server is still constantly getting new data.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...