Solved: Can you give me some clarification on Monitoring _...

EHariharan · ‎01-10-2019

Hi Everyone,

I am new to Splunk. Here I am having some clarification on monitoring _internal logs.

I do have 4 IDX, 2 SHD, DPL, DPM, Master. Am I able to monitor the logs from those instances without using a universal forwarder (UF)?

We could use the UF to forward logs, but Splunk advises us to use one instance in one server.

Please Advice!

richgalloway · ‎01-10-2019

All of your Splunk instances (except the indexers) should be forwarding their internal logs to your indexers. They have the ability to forward logs without a separate forwarder. See https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Forwardsearchheaddata

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎01-10-2019

All of your Splunk instances (except the indexers) should be forwarding their internal logs to your indexers. They have the ability to forward logs without a separate forwarder. See https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Forwardsearchheaddata

---
If this reply helps you, Karma would be appreciated.

EHariharan · ‎01-10-2019

Thank you Mr.Richgalloway

Did those instances forward the OS logs without UF?

richgalloway · ‎01-10-2019

Yes, they do, if you follow the instructions in the link.

---
If this reply helps you, Karma would be appreciated.

Can you give me some clarification on Monitoring _internal logs?