https://community.splunk.com/t5/Getting-Data-In/How-set-up-forwarding-on-linux-to-linux/m-p/98437#M20562 <P>No firewall between forwarder A and indexer B. Both are Red Hat 2.6...</P> <P>/opt/splunkforwarder/etc/system/local/outputs.conf on A (which has universal forwarder): </P> <P>[tcpout]<BR /> defaultGroup = default-autolb-group</P> <P>[tcpout:default-autolb-group]<BR /> server = 152.190.138.158:9997</P> <P>[tcpout-server://152.190.138.158:9997] &lt;&lt;&lt; This is my indexer</P> <P>On the indexer I have "manager -&gt; Forwarding and receiving -&gt; receive data" set to 9997</P> <P>Are "/var/logs" natively set to be sent to the indexer? Or does this have to be configured?</P> Thu, 24 Jan 2013 14:04:41 GMT hokie1999 2013-01-24T14:04:41Z https://community.splunk.com/t5/Getting-Data-In/How-set-up-forwarding-on-linux-to-linux/m-p/98437#M20562 <P>No firewall between forwarder A and indexer B. Both are Red Hat 2.6...</P> <P>/opt/splunkforwarder/etc/system/local/outputs.conf on A (which has universal forwarder): </P> <P>[tcpout]<BR /> defaultGroup = default-autolb-group</P> <P>[tcpout:default-autolb-group]<BR /> server = 152.190.138.158:9997</P> <P>[tcpout-server://152.190.138.158:9997] &lt;&lt;&lt; This is my indexer</P> <P>On the indexer I have "manager -&gt; Forwarding and receiving -&gt; receive data" set to 9997</P> <P>Are "/var/logs" natively set to be sent to the indexer? Or does this have to be configured?</P> Thu, 24 Jan 2013 14:04:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-set-up-forwarding-on-linux-to-linux/m-p/98437#M20562 hokie1999 2013-01-24T14:04:41Z https://community.splunk.com/t5/Getting-Data-In/How-set-up-forwarding-on-linux-to-linux/m-p/98438#M20563 <P>The answer to this question, thanks to Ed Elisio, is to configure </P> <P>/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf </P> <P>on the forwarding device to be something like this if you're interested in /var/log stuff:</P> <P>[splunktcp]<BR /> route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue</P> <P>[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]<BR /> _TCP_ROUTING = *<BR /> index = _internal</P> <P>[monitor:///var/log] &lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt; added this</P> <P>Restart the universal forwarder, too.</P> Mon, 28 Sep 2020 13:10:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-set-up-forwarding-on-linux-to-linux/m-p/98438#M20563 hokie1999 2020-09-28T13:10:41Z https://community.splunk.com/t5/Getting-Data-In/How-set-up-forwarding-on-linux-to-linux/m-p/98439#M20564 <P>hokie1999,</P> <P>One thing to note here. You edited your default inputs.conf. This is generally considered bad practice. If you were to update your universal forwarder to a newer version, the update process would revert your change back to, as the name implies, the default.</P> <P>Right at the top of the default/inputs.conf (as well as other default/*.conf files) there is a warning stating not to edit the file.</P> <P>You need to make this change in the local inputs.conf. In /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/, there should be a local directory. In it, there may or may not be a inputs.conf file. If there is, great, make your changes there. If there isn't, just copy the inputs.conf from the default directory into the local directory. Then make your changes to the inputs.conf in the local directory.</P> Thu, 24 Jan 2013 15:32:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-set-up-forwarding-on-linux-to-linux/m-p/98439#M20564 mloven_splunk 2013-01-24T15:32:18Z