Monitoring Splunk

Forwarding search head logs to indexer

aoliullah
Path Finder

Hi. I have been trying to forward my search head logs to the indexer as it is a best practice. In order to do so, I tried to create an outputs.conf under search app with all the parameters. However, I wanted to try out how it can be done through the GUI, so used the "configure forwarding" option and set the IP:destport. I now receive the internal logs.

However, I am trying to find out where that GUI setting would have got written to. It should technically have created a new outputs.conf file right? Could anyone tell me where it would reside please? I have tried to use the "locate" command on my search head box to find all the outputs.conf file but couldn't find the config written to any of them.

Thanks in advance!

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi aoliullah,
usually it's in $SPLUNK_HOME/etc/system/local.
everyway, you can find it also using btool command

./splunk cmd btool outputs list --debug

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi aoliullah,
usually it's in $SPLUNK_HOME/etc/system/local.
everyway, you can find it also using btool command

./splunk cmd btool outputs list --debug

Bye.
Giuseppe

0 Karma

aoliullah
Path Finder

Thank you.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...