Deployment Architecture

enabling *nix with universal forwarder stops forwarding logs from /etc/system/local/inputs.conf

New Member

I'm trying to get the *nix app going using the universal forwarder. I can forward logs fine from /etc/system/local/inputs.conf until I enable the *nix app. Once I enable the app it does forward *nix /etc/apps/unix/local/inputs.conf logs but not my system defined logs.

When *nix is enabled the splunkd.log just stays on INFO TcpOutputProc - Connected to idx=:9997
When it's disabled it updates fine and shows processing of the log files.

I've tried the configuration from my main splunk receiver server that is also using *nix and the default one from the unix/defaults/. Both cause the same action.

0 Karma

New Member

I do have an OS index defined exactly like you described. I should have clarified a little better. My indexer is also my search head all in one box. From the portal I installed the *nix app and it's collecting data for that host.

I'm trying to get one host configured with the forwarder so I can deploy it to the rest of my hosts.

The machine I'm trying to get the Universal Forwarder on will also forward the *nix inputs but only those. Once I disabled the *nix app my inputs defined in my etc/system/local/inputs.conf will start flowing again. It's acting like it's one or the other.

0 Karma


Most inputs in the *nix app are configured to go to the "os" index. If you do not have this indexed defined on your indexer then the data will not be indexed. The easiest way to configure the os index would be to add the following configuration to your $SPLUNK_HOME/etc/system/local/indexes.conf:

## indexes.conf
homePath = $SPLUNK_DB/os/db
coldPath = $SPLUNK_DB/os/colddb
thawedPath = $SPLUNK_DB/os/thaweddb

Installing the *nix app on your indexer will also provide this index, however it will enable certain things you wouldn't want enabled on a pure indexer.

0 Karma