Getting Data In

can splunkd.log be forwarded from Heavy Forwarder to Indexer?

fernandoandre
Communicator

I have a Heavy Forwarder (HF) and an Indexer.

I would like to forward splunkd.log from the Heavy Forwarder to Indexer in order to search this log without having to log in to the HF.

1 - How can I do this?

2 - If possible, can I also do it for Universal Forwarders (how?)?

3 - If I use [monitor://...splunkd.log] and forward it, this will index the file and count to licensing purposes...or not?

If I run: splunk list monitor

Splunk returns that this "splunkd.log" in being monitored (but not sent to Indexer).

Thanks

1 Solution

dshpritz
SplunkTrust
SplunkTrust

Yes, you can do this, but by default Splunk does not forward events from _internal. In the outputs.conf, you would turn off the filtering. So in the "tcpout" stanza:

[tcpout]

forwardedindex.filter.disable = true

View solution in original post

yanivdutt
Explorer

Even I have same issue. Heavy forwarders are not forwarding _internal logs

0 Karma

jchampagne
Path Finder

I've implemented this change, hoping to get the local splunk logs from my heavy forwarders into my main indexer. However, I'm still not seeing anything. After doing some more checking, I've noticed that the _internal index on the heavy forwarders has no events.

Why would my heavy forwarders not be indexing their splunk log files by default?

0 Karma

dshpritz
SplunkTrust
SplunkTrust

Yes, you can do this, but by default Splunk does not forward events from _internal. In the outputs.conf, you would turn off the filtering. So in the "tcpout" stanza:

[tcpout]

forwardedindex.filter.disable = true

fernandoandre
Communicator

Thank you. I don't know how but I completely overlooked that attribute when reading it.

I have tested it at HF and works perfectly.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...