I have setup Universal forwarder on my Windows Server 2016 machine.
I have setup the Universal forwarder credentials to point to my Splunk Cloud.
By default shouldn't I now be getting data from the splunkd.log file?
Regards,
Greg
You can always check your metrics.log on your Universal Forwarder installation to check whether data is being sent. Otherwise, you can of course search for index=_internal and also specify host=xyz if you'd like to.
The other Spluk logs are also monitored, not only the splunkd.log. 🙂
You can always check your metrics.log on your Universal Forwarder installation to check whether data is being sent. Otherwise, you can of course search for index=_internal and also specify host=xyz if you'd like to.
The other Spluk logs are also monitored, not only the splunkd.log. 🙂
index=_internal shows a number of records.
Some of the records show a host of WIN2016 which is the machine I'm monitoring but when I search on host=WIN2016 I get no results.
Data Summary shows: "Waiting for results..."
If I search:
index=_internal host=WIN2016
I get results so I guess internal events are filtered out by default.
Glad to hear you're receiving data. 🙂