Solved: Forwarding search head logs to indexer

aoliullah · ‎04-06-2017

Hi. I have been trying to forward my search head logs to the indexer as it is a best practice. In order to do so, I tried to create an outputs.conf under search app with all the parameters. However, I wanted to try out how it can be done through the GUI, so used the "configure forwarding" option and set the IP:destport. I now receive the internal logs.

However, I am trying to find out where that GUI setting would have got written to. It should technically have created a new outputs.conf file right? Could anyone tell me where it would reside please? I have tried to use the "locate" command on my search head box to find all the outputs.conf file but couldn't find the config written to any of them.

Thanks in advance!

gcusello · ‎04-06-2017

Hi aoliullah,
usually it's in $SPLUNK_HOME/etc/system/local.
everyway, you can find it also using btool command

./splunk cmd btool outputs list --debug

Bye.
Giuseppe

View solution in original post

gcusello · ‎04-06-2017

Hi aoliullah,
usually it's in $SPLUNK_HOME/etc/system/local.
everyway, you can find it also using btool command

./splunk cmd btool outputs list --debug

Bye.
Giuseppe

aoliullah · ‎04-06-2017

Thank you.

Forwarding search head logs to indexer

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio