Hi all,
Maybe a dummy question, do I need to setup Universal Forwarder on Splunk server to monitor and index data? (so it's like the server is forwarding data to itself)
I tested setup an app in etc/apps/ with below config but it doesn't work.
inputs.conf
[batch:///opt/splunk/temp/test_forward/*]
move_policy = sinkhole
disabled = 0
index = test
sourcetype = test
crcSalt = test
_TCP_ROUTING = test
outputs.conf
[indexAndForward]
index = false
[tcpout]
indexAndForward = false
maxQueueSize = 200MB
[tcpout:test]
server = <server IP>:9997
Thanks
Please follow the below example
# 1. In outputs.conf: [tcpout] defaultGroup = indexers [indexAndForward] index=true selectiveIndexing=true [tcpout:indexers] server = 10.1.1.197:9997, 10.1.1.200:9997 # 2. In inputs.conf, Add _INDEX_AND_FORWARD_ROUTING for any data that you want # index locally, and _TCP_ROUTING=<target_group> for data to be forwarded. [monitor:///var/log/messages/] _INDEX_AND_FORWARD_ROUTING=local [monitor:///var/log/httpd/] _TCP_ROUTING=indexers
Isn't this almost the same as my config file?
I know what parameter does what so you don't need to give the example ( and while my original question is for batch stanza, your example is for monitor stanza -- not helpful). My question is what's wrong with my config and it was not answered
anyway, thanks for trying to help.
I manage to fix the issue myself in the end
What are you trying to achieve? Its been metioned as a splunk server, if this is a full blown instance of splunk, why are you using UF?
I'm not using UF, at least not yet
I tried to monitor the file as shown in the config above, but it doesn't work. Do you know why?