<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Internal Log Forwarding in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Internal-Log-Forwarding/m-p/749783#M119115</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/309363"&gt;@Mirza_Jaffar1&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Lets strip out all those comments, it looks like your applied config is:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[tcpout]
defaultGroup = primary_indexers

[tcpout:primary_indexers]
server = server_one:9997, server_two:9997&lt;/LI-CODE&gt;&lt;P&gt;In theory this should probably work, but takes a number of assumptions. I dont think the lack of a&amp;nbsp;indexAndForward setting will be affecting this because either way it should forward the data, so I wont focus on that.&lt;/P&gt;&lt;P&gt;The first thing to check is on one of the hosts that arent sending their internal logs, check $SPLUNK_HOME/var/log/splunk/splunkd.log for any errors relating to output directly on the server. Try the keyword "tcpoutputfd" - Do you see any failures/errors?&amp;nbsp;&lt;/P&gt;&lt;P&gt;Can you confirm that you can connect to server_one and server_two from your hosts on port 9997?&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;nc -vz -w1 server_one 9997&lt;/LI-CODE&gt;&lt;P&gt;This will prove that the connectivity can be established correctly and that your indexers are listening. Are there any firewalls between your other servers and the indexers?&lt;/P&gt;&lt;P&gt;Lastly, what is the inputs.conf configuration on your indexers? Please check with btool - are using any custom SSL certificates or requiring client certs?&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;$SPLUNK_HOME/bin/splunk btool input list --debug splunktcp&lt;/LI-CODE&gt;&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":glowing_star:"&gt;🌟&lt;/span&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Did this answer help you?&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;If so, please consider:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Adding karma to show it was useful&lt;/LI&gt;&lt;LI&gt;Marking it as the solution if it resolved your issue&lt;/LI&gt;&lt;LI&gt;Commenting if you need any clarification&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Your feedback encourages the volunteers in this community to continue contributing&lt;/P&gt;</description>
    <pubDate>Mon, 14 Jul 2025 21:32:11 GMT</pubDate>
    <dc:creator>livehybrid</dc:creator>
    <dc:date>2025-07-14T21:32:11Z</dc:date>
    <item>
      <title>Internal Log Forwarding</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Internal-Log-Forwarding/m-p/749776#M119110</link>
      <description>&lt;P&gt;Configuring Internal Log Forwarding&amp;nbsp;&lt;/P&gt;&lt;P&gt;1- 1sh 2 indx 2 if and 4 uf 1 mc&lt;/P&gt;&lt;P&gt;2- I can see only idx internal logs though I have configured correctly the&amp;nbsp;Updated the server list under the [tcpout:primary_indexers] stanza in outputs.conf&lt;/P&gt;&lt;P&gt;3- what could be the issues with these simple setup not being to see the internal logs of the sh, idx, mc and if&lt;/P&gt;&lt;P&gt;Base Config output.conf&lt;/P&gt;&lt;P&gt;# BASE SETTINGS&lt;/P&gt;&lt;P&gt;[tcpout]&lt;BR /&gt;defaultGroup = primary_indexers&lt;/P&gt;&lt;P&gt;# When indexing a large continuous file that grows very large, a universal&lt;BR /&gt;# or light forwarder may become "stuck" on one indexer, trying to reach&lt;BR /&gt;# EOF before being able to switch to another indexer. The symptoms of this&lt;BR /&gt;# are congestion on *one* indexer in the pool while others seem idle, and&lt;BR /&gt;# possibly uneven loading of the disk usage for the target index.&lt;BR /&gt;# In this instance, forceTimebasedAutoLB can help!&lt;BR /&gt;# ** Do not enable if you have events &amp;gt; 64kB **&lt;BR /&gt;# Use with caution, can cause broken events&lt;BR /&gt;#forceTimebasedAutoLB = true&lt;BR /&gt;&lt;BR /&gt;# Correct an issue with the default outputs.conf for the Universal Forwarder&lt;BR /&gt;# or the SplunkLightForwarder app; these don't forward _internal events.&lt;BR /&gt;# 3/6/21 only required for versions prior to current supported forwarders.&lt;BR /&gt;# Check forwardedindex.2.whitelist in system/default config to verify&lt;BR /&gt;#forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent)&lt;/P&gt;&lt;P&gt;[tcpout:primary_indexers]&lt;BR /&gt;server = server_one:9997, server_two:9997&lt;/P&gt;&lt;P&gt;# If you do not have two (or more) indexers, you must use the single stanza&lt;BR /&gt;# configuration, which looks like this:&lt;BR /&gt;#[tcpout-server://&amp;lt;ipaddress_or_servername&amp;gt;:&amp;lt;port&amp;gt;]&lt;BR /&gt;# &amp;lt;attribute1&amp;gt; = &amp;lt;val1&amp;gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;# If setting compressed=true, this must also be set on the indexer.&lt;BR /&gt;# compressed = true&lt;/P&gt;&lt;P&gt;# INDEXER DISCOVERY (ASK THE CLUSTER MANAGER WHERE THE INDEXERS ARE)&lt;/P&gt;&lt;P&gt;# This particular setting identifies the tag to use for talking to the&lt;BR /&gt;# specific cluster manager, like the "primary_indexers" group tag here.&lt;BR /&gt;# indexerDiscovery = clustered_indexers&lt;/P&gt;&lt;P&gt;# It's OK to have a tcpout group like the one above *with* a server list;&lt;BR /&gt;# these will act as a seed until communication with the manager can be&lt;BR /&gt;# established, so it's a good idea to have at least a couple of indexers&lt;BR /&gt;# listed in the tcpout group above.&lt;/P&gt;&lt;P&gt;# [indexer_discovery:clustered_indexers]&lt;BR /&gt;# pass4SymmKey = &amp;lt;MUST_MATCH_MANAGER&amp;gt;&lt;BR /&gt;# This must include protocol and port like the example below.&lt;BR /&gt;# manager_uri = &lt;A href="https://manager.example.com:8089" target="_blank" rel="noopener"&gt;https://manager.example.com:8089&lt;/A&gt;&lt;/P&gt;&lt;P&gt;# SSL SETTINGS&lt;/P&gt;&lt;P&gt;# sslCertPath = $SPLUNK_HOME/etc/auth/server.pem&lt;BR /&gt;# sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem&lt;BR /&gt;# sslPassword = password&lt;BR /&gt;# sslVerifyServerCert = true&lt;/P&gt;&lt;P&gt;# COMMON NAME CHECKING - NEED ONE STANZA PER INDEXER&lt;BR /&gt;# The same certificate can be used across all of them, but the configuration&lt;BR /&gt;# here requires these settings to be per-indexer, so the same block of&lt;BR /&gt;# configuration would have to be repeated for each.&lt;BR /&gt;# [tcpout-server://10.1.12.112:9997]&lt;BR /&gt;# sslCertPath = $SPLUNK_HOME/etc/certs/myServerCertificate.pem&lt;BR /&gt;# sslRootCAPath = $SPLUNK_HOME/etc/certs/myCAPublicCertificate.pem&lt;BR /&gt;# sslPassword = server_privkey_password&lt;BR /&gt;# sslVerifyServerCert = true&lt;BR /&gt;# sslCommonNameToCheck = servername&lt;BR /&gt;# sslAltNameToCheck = servername&lt;/P&gt;&lt;P&gt;Thanks for your time!&lt;/P&gt;</description>
      <pubDate>Mon, 14 Jul 2025 21:01:27 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Internal-Log-Forwarding/m-p/749776#M119110</guid>
      <dc:creator>Mirza_Jaffar1</dc:creator>
      <dc:date>2025-07-14T21:01:27Z</dc:date>
    </item>
    <item>
      <title>Re: Internal Log Forwarding</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Internal-Log-Forwarding/m-p/749778#M119111</link>
      <description>&lt;P&gt;Have you also add this into outputs.conf?&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[indexAndForward]
index = false&lt;/LI-CODE&gt;&lt;P&gt;&lt;A href="https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-distributed-search/best-practice-forward-search-head-data-to-the-indexer-layer" target="_blank"&gt;https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-distributed-search/best-practice-forward-search-head-data-to-the-indexer-layer&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 14 Jul 2025 21:20:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Internal-Log-Forwarding/m-p/749778#M119111</guid>
      <dc:creator>isoutamo</dc:creator>
      <dc:date>2025-07-14T21:20:43Z</dc:date>
    </item>
    <item>
      <title>Re: Internal Log Forwarding</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Internal-Log-Forwarding/m-p/749779#M119112</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/309363"&gt;@Mirza_Jaffar1&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;&lt;P&gt;Maybe you did not enable receiving on indexers?&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;inputs.conf
[splunktcp://9997]&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 14 Jul 2025 21:25:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Internal-Log-Forwarding/m-p/749779#M119112</guid>
      <dc:creator>scelikok</dc:creator>
      <dc:date>2025-07-14T21:25:05Z</dc:date>
    </item>
    <item>
      <title>Re: Internal Log Forwarding</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Internal-Log-Forwarding/m-p/749780#M119113</link>
      <description>&lt;P&gt;Ok, this is the config. Now check your logs - splunkd.log on both ends of the connection for each component. There could be a lot of things that could have gone wrong - network traffic filtered, tls misconfigured, some overzealous IPS...&lt;/P&gt;</description>
      <pubDate>Mon, 14 Jul 2025 21:25:08 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Internal-Log-Forwarding/m-p/749780#M119113</guid>
      <dc:creator>PickleRick</dc:creator>
      <dc:date>2025-07-14T21:25:08Z</dc:date>
    </item>
    <item>
      <title>Re: Internal Log Forwarding</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Internal-Log-Forwarding/m-p/749783#M119115</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/309363"&gt;@Mirza_Jaffar1&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Lets strip out all those comments, it looks like your applied config is:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[tcpout]
defaultGroup = primary_indexers

[tcpout:primary_indexers]
server = server_one:9997, server_two:9997&lt;/LI-CODE&gt;&lt;P&gt;In theory this should probably work, but takes a number of assumptions. I dont think the lack of a&amp;nbsp;indexAndForward setting will be affecting this because either way it should forward the data, so I wont focus on that.&lt;/P&gt;&lt;P&gt;The first thing to check is on one of the hosts that arent sending their internal logs, check $SPLUNK_HOME/var/log/splunk/splunkd.log for any errors relating to output directly on the server. Try the keyword "tcpoutputfd" - Do you see any failures/errors?&amp;nbsp;&lt;/P&gt;&lt;P&gt;Can you confirm that you can connect to server_one and server_two from your hosts on port 9997?&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;nc -vz -w1 server_one 9997&lt;/LI-CODE&gt;&lt;P&gt;This will prove that the connectivity can be established correctly and that your indexers are listening. Are there any firewalls between your other servers and the indexers?&lt;/P&gt;&lt;P&gt;Lastly, what is the inputs.conf configuration on your indexers? Please check with btool - are using any custom SSL certificates or requiring client certs?&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;$SPLUNK_HOME/bin/splunk btool input list --debug splunktcp&lt;/LI-CODE&gt;&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":glowing_star:"&gt;🌟&lt;/span&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Did this answer help you?&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;If so, please consider:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Adding karma to show it was useful&lt;/LI&gt;&lt;LI&gt;Marking it as the solution if it resolved your issue&lt;/LI&gt;&lt;LI&gt;Commenting if you need any clarification&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Your feedback encourages the volunteers in this community to continue contributing&lt;/P&gt;</description>
      <pubDate>Mon, 14 Jul 2025 21:32:11 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Internal-Log-Forwarding/m-p/749783#M119115</guid>
      <dc:creator>livehybrid</dc:creator>
      <dc:date>2025-07-14T21:32:11Z</dc:date>
    </item>
  </channel>
</rss>

