Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Forwarder logs to Splunk Indexer

ssankeneni
Communicator
‎04-17-2013 01:58 PM

Do SplunkForwarder forward the metrics.log to the Splunk indexer automatically? I can see the splunkd.log files but not metrics.log file

Tags (2)
0 Karma
Reply

sbrice36
Explorer
‎05-04-2015 11:49 AM

This must have been updated with 6.2.1/6.2.2, I now see the following entry by default in "etc\apps\SplunkUniversalForwarder\default"

[monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]
_TCP_ROUTING = *
index = _internal

So both splunkd.log and metrics.log are now being forwarded to _internal

Reply

dstuder
Communicator
‎12-28-2018 11:10 AM

I see that in the forwarder app but I also see this in etc/system/default/input.conf which appears to be sending not only the .log files but also the rolled over log files such as .log.1, .log.2, etc.

[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-25-2014 04:10 PM

By default, universal and lightweight forwarders are not forwarding the metrics.log, only splunkd.log.

You can bypass this and force the metrics.log to be forwarded with an inputs.conf like

[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
index=_internal
_TCP_ROUTING = *
Reply

sowings
Splunk Employee
Splunk Employee
‎05-23-2014 12:08 PM

No, the metrics.log isn't forwarded automatically. Only the splunkd.log receives a special exception. If you look at the documentation for inputs.conf here, it says explicitly:


* To forward data from the "_internal" index, _TCP_ROUTING must explicitly be set to either "*"
or a specific splunktcp target group.

The splunkd.log has this setting, but the general directory $SPLUNK_HOME/var/log/splunk does not. You'll have to create a local inputs.conf (in a small config app, or in system/local) containing:


[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = *

Once this is in place, restart your forwarder.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...