Getting Data In

Default behavior of Splunk internal logs

GaetanVP
Contributor

Hello Splunkers,

Correct me if I'm wrong but it seems that when you install Splunk UF on a machine, some logs of the machine (specifically located in  $SPLUNK_HOME/var/log) will be forwarded by default. For instance I see some default settings here  /opt/splunkforwarder/etc/system/default/inputs.conf :

GaetanVP_0-1689327749291.png

There is also similar config in this path : /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf

GaetanVP_1-1689327821474.png

I am wondering about the effects of _TCP_ROUTING = *

Does it mean that those monitored paths will be sent to all tcp group defined in the outputs.conf files of my machine ? What would be the purpose of that ? Would you have a clean way to override that kind of config to send _internal logs only to one particular TCP group ?

Thanks for your time,

GaetanVP

 

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

* To forward data from the "_internal" index, you must explicitly set
  '_TCP_ROUTING' to either "*" or a specific splunktcp target group.

So it's a default setting so that the _internal index data does get sent out. You can of course overwrite it on a per-input level using config file precedence (https://docs.splunk.com/Documentation/Splunk/9.1.0/Admin/Wheretofindtheconfigurationfiles).

Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...