When we use universal forwarder, do you know where forwarded data is on the Splunk server? Could you please tell me which path/directory for forwarded data?
When you use universal forwarder then it reads data from files, script etc in inputs.conf file http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/inputsconf and it sends data to indexer given in outputs.conf file http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Outputsconf
data in indexer is stored in indexes in location $SPLUNK_HOME/var/lib/splunk in indexer http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Splunk-launchconf
View solution in original post
