Getting Data In

Can I configure my deployment server to send deployment related logs to another splunk for searching?

juniormint
Communicator

I have a dedicated machine for my splunk forwarder configuration deployment server. I would like to send the deployment related logs to another Splunk instance which serves as my indexer/search node.

Any idea how to do this?

Tags (2)
0 Karma
1 Solution

lguinn2
Legend

If you set up your deployment server as a forwarder, by adding an outputs.conf file, you can send its Splunk logs to your indexer. Splunk automatically monitors its internal logs, so your deployment-related logs should be sent automatically. The following example assumes that the indexer is named yourhost.yourcompany.com and that it is listening for input on port 9997.

outputs.conf

[tcpout:group1]
server=yourhost.yourcompany.com:9997

If this doesn't work like you expect, make sure that your deployment server has an inputs.conf that contains something like this:

[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = *
index = _internal

Here is a good item in the documentation: What Splunk logs about itself

View solution in original post

lguinn2
Legend

If you set up your deployment server as a forwarder, by adding an outputs.conf file, you can send its Splunk logs to your indexer. Splunk automatically monitors its internal logs, so your deployment-related logs should be sent automatically. The following example assumes that the indexer is named yourhost.yourcompany.com and that it is listening for input on port 9997.

outputs.conf

[tcpout:group1]
server=yourhost.yourcompany.com:9997

If this doesn't work like you expect, make sure that your deployment server has an inputs.conf that contains something like this:

[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = *
index = _internal

Here is a good item in the documentation: What Splunk logs about itself

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...