https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-logs-to-Splunk-Indexer/m-p/98537#M20604 <P>By default, universal and lightweight forwarders are not forwarding the metrics.log, only splunkd.log.</P> <P>You can bypass this and force the metrics.log to be forwarded with an inputs.conf like</P> <PRE><CODE>[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log] index=_internal _TCP_ROUTING = * </CODE></PRE> Thu, 25 Sep 2014 23:10:44 GMT yannK 2014-09-25T23:10:44Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-logs-to-Splunk-Indexer/m-p/98535#M20602 <P>Do SplunkForwarder forward the metrics.log to the Splunk indexer automatically? I can see the splunkd.log files but not metrics.log file</P> Wed, 17 Apr 2013 20:58:19 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-logs-to-Splunk-Indexer/m-p/98535#M20602 ssankeneni 2013-04-17T20:58:19Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-logs-to-Splunk-Indexer/m-p/98536#M20603 <P>No, the metrics.log isn't forwarded automatically. Only the splunkd.log receives a special exception. If you look at the documentation for inputs.conf <A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf">here</A>, it says explicitly:</P> <P><CODE><BR /> * To forward data from the "_internal" index, _TCP_ROUTING must explicitly be set to either "*" <BR /> or a specific splunktcp target group.<BR /> </CODE></P> <P>The splunkd.log has this setting, but the general directory $SPLUNK_HOME/var/log/splunk does not. You'll have to create a local inputs.conf (in a small config app, or in system/local) containing:</P> <P><CODE><BR /> [monitor://$SPLUNK_HOME/var/log/splunk]<BR /> _TCP_ROUTING = *<BR /> </CODE></P> <P>Once this is in place, restart your forwarder.</P> Fri, 23 May 2014 19:08:07 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-logs-to-Splunk-Indexer/m-p/98536#M20603 sowings 2014-05-23T19:08:07Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-logs-to-Splunk-Indexer/m-p/98537#M20604 <P>By default, universal and lightweight forwarders are not forwarding the metrics.log, only splunkd.log.</P> <P>You can bypass this and force the metrics.log to be forwarded with an inputs.conf like</P> <PRE><CODE>[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log] index=_internal _TCP_ROUTING = * </CODE></PRE> Thu, 25 Sep 2014 23:10:44 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-logs-to-Splunk-Indexer/m-p/98537#M20604 yannK 2014-09-25T23:10:44Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-logs-to-Splunk-Indexer/m-p/98538#M20605 <P>This must have been updated with 6.2.1/6.2.2, I now see the following entry by default in "etc\apps\SplunkUniversalForwarder\default"</P> <P>[monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]<BR /> _TCP_ROUTING = *<BR /> index = _internal</P> <P>So both splunkd.log and metrics.log are now being forwarded to _internal</P> Mon, 28 Sep 2020 19:44:16 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-logs-to-Splunk-Indexer/m-p/98538#M20605 sbrice36 2020-09-28T19:44:16Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-logs-to-Splunk-Indexer/m-p/98539#M20606 <P>I see that in the forwarder app but I also see this in etc/system/default/input.conf which appears to be sending not only the .log files but also the rolled over log files such as .log.1, .log.2, etc.</P> <PRE><CODE>[monitor://$SPLUNK_HOME\var\log\splunk] index = _internal </CODE></PRE> Fri, 28 Dec 2018 19:10:35 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-logs-to-Splunk-Indexer/m-p/98539#M20606 dstuder 2018-12-28T19:10:35Z