Solved: How to forward internal logs from the Master Node ...

ishaanshekhar · ‎09-23-2015

Dear SPLUNK Community,

I need to send the internal logs from Master Node to the Indexers so that it can be viewed by the Search Heads.

Here is my outputs.conf:

[indexAndForward]
index = false

[tcpout]
defaultGroup=indexer_group1
forwardedindex.filter.disable = true
indexAndForward=false

[tcpout:indexer_group1]
autoLBFrequency=40
server=Ind1:9997,Ind2:9997,Ind3:9997

Q1) Should I place this in $SPLUNK_HOME/etc/system/local/ ,or can I also place it in $SPLUNK_HOME/etc/apps/push_internal_data_app/local/ ?

Q2) Do I need to restart the Master Node? If yes, then what is the ideal way to restart the master in this scenario?

Thanks in advance!!
Ishaan

somesoni2 · ‎09-23-2015

1) You can place in any of those locations, I would prefer putting it in push_internal_data_app.
2) You would need to restart Splunk instance for outputs.conf to take effect. See this link for recommendations/details on Cluster master restart.
http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Whathappenswhenamasternodegoesdown

View solution in original post

somesoni2 · ‎09-23-2015

1) You can place in any of those locations, I would prefer putting it in push_internal_data_app.
2) You would need to restart Splunk instance for outputs.conf to take effect. See this link for recommendations/details on Cluster master restart.
http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Whathappenswhenamasternodegoesdown

How to forward internal logs from the Master Node to Indexers?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation