I have a question about forwarder and log indexing.
How often forwarder pushes the data to Indexer? How do I modify the time?
How do I know what are the events and logs are taking affect on licence usage?
Are these splunk log files push to indexer? And does it affect on licence usage?
$ sudo ls /opt/splunk/var/log/splunk
audit.log first_install.log metrics.log.5 splunkd_stderr.log
btool.log license_usage.log mongod.log splunkd_stdout.log
conf.log metrics.log remote_searches.log splunkd_ui_access.log
django_access.log metrics.log.1 scheduler.log splunkd-utility.log
django_error.log metrics.log.2 searchhistory.log web_access.log
django_service.log metrics.log.3 splunkd_access.log web_service.log
export_metrics.log metrics.log.4 splunkd.log
Hi @ananthan123 - Please accept the best answer so your question will be marked as resolved. But you can up-vote the other answers as well, that way these users will know you're appreciative of their help 🙂 Thanks and Happy Splunking!
answering to your question:
The log files in
index=_internal do not count against your license quota. See What Splunk software logs about itself in the Troubleshooting Manual for more information about Splunk platform logging.
For all practical purposes, the forwarder works continuously. There are some attributes related to timeout intervals and load balancing that you can set in the
outputs.conffile. See Configure forwarding with outputs.conf in the Forwarder Manual.
everything that is being indexed in internal indexes, meaning indexes that starts with an "_" (underscore) will not count against your license.
everything that is on the forwarder /var/log/splunk/ will not count against your license as default monitor for it is to go to internal indexes.
forwarder will tail files and send them to splunk. if you are using "monitor" for inputs, there is no interval set. when new line is added to the monitored file, the forwarder reads it and sends it to indexer.
hope it helps