Deployment Architecture

Change Universal forwarder metrics from _internal index to another index possible?

hethu
Path Finder

Hi,

I want to monitor a whole bunch of Universal Forwarders that i have set up and configured. All data from these are all forwarded to a heavy forwarder that forwards everything to Splunk Cloud.

My problem is that i have only access to one index in the cloud, but not the _internal index that receives UF metrics. Is it possible to change the index from _internal to the one I have access to in the UF config?

Labels (1)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

While, in theory, it may be possible to have the data go to a different index, I advise against it.  First, some of the references to _internal may be hardcoded so you won't be able to change 100% of the events. Second, making such a change may have side effects such as built-in dashboards and alerts no longer working.  Finally, data written to _internal is free whereas sending to a different index will count against your license.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...