topic Re: Need assistance on Log forwarding from UF in Getting Data In

Need assistance on Log forwarding from UF

Navanitha — Fri, 06 Feb 2026 12:51:35 GMT

I am trying to forward win event security logs from server using UF to our Heavy forwarder. UF has all the required apps configured however I only see its internal logs in tcpudmp on the Heavy forwarder and not the actual logs.

following is the config -

[WinEventLog://Security]

_TCP_ROUTING=indexer1,indexer2

disabled = false

index=test

start_from = oldest

current_only = 1

evt_resolve_ad_obj = 1

checkpointInterval = 5

above inputs is standard across our org and few servers has outputs configured to indexer1, and some to indexer2, hence you see both in the outputs above.

outputs -

[tcpout:indexer2_HF]

autoLB=true

server = 1.0.6.7:9997,1.0.6.8:9997

what else is missing ?

Re: Need assistance on Log forwarding from UF

gcusello — Fri, 06 Feb 2026 13:43:44 GMT

Hi @Navanitha ,

at first, it isn't clear why you are separating data between indexers, anyway the name in _TCP_ROUTING must be the same of the outputs.conf stanza, instead you have a different name: indexer2 instead of indexer2_HF.

Ciao.

Giuseppe

Re: Need assistance on Log forwarding from UF

livehybrid — Fri, 06 Feb 2026 13:46:55 GMT

Hi @Navanitha

Your _TCP_ROUTING should use the same value as the tcpout: value in outputs.conf
e.g.

_TCP_ROUTING=indexer2_HF or, for both: _TCP_ROUTING=indexer1_HF,indexer2_HF

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Need assistance on Log forwarding from UF

Navanitha — Fri, 06 Feb 2026 15:37:07 GMT

yea thats a typo, the _TCP_ROUTING in the inputs is same as outputs.conf. It is like below -

[WinEventLog://Security]

_TCP_ROUTING=indexer1_HF, indexer2_HF

disabled = false

index=test

start_from = oldest

current_only = 1

evt_resolve_ad_obj = 1

checkpointInterval = 5

outputs -

[tcpout:indexer2_HF]

autoLB=true

server = 1.0.6.7:9997,1.0.6.8:9997

Re: Need assistance on Log forwarding from UF

PickleRick — Fri, 06 Feb 2026 22:35:55 GMT

First things first - check status of your input (splunk show inputstatus, check logs). Maybe it's not outputs, maybe you're just not getting inputs (especially since we're talking about Security logs and access to those is sometimes limited).