Hi,
I have recently started migrating our enterprise infrastructure to an indexer cluster from a previous standalone Splunk server infrastructure. Before the migration, I could see all the splunkd.logs from all forwarders in the _internal index on the server. After switching to the cluster, I can no longer see them when searching in index=_internal via the search head.
I suspect it is due to the fact that _internal is... internal, so it is not clustered among cluster nodes and therefore not searchable via the cluster search head.
What is the proper way to view them? I have splunk web disabled on cluster peers for security reasons as it was never supposed to be searched directly. It feels idiotic having this log-centralising product and not being able to see its logs in a central place.
... View more