Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Forwarder logs to Splunk Indexer

ssankeneni
Communicator
‎04-17-2013 01:58 PM

Do SplunkForwarder forward the metrics.log to the Splunk indexer automatically? I can see the splunkd.log files but not metrics.log file

Tags (2)
0 Karma
Reply

sbrice36
Explorer
‎05-04-2015 11:49 AM

This must have been updated with 6.2.1/6.2.2, I now see the following entry by default in "etc\apps\SplunkUniversalForwarder\default"

[monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]
_TCP_ROUTING = *
index = _internal

So both splunkd.log and metrics.log are now being forwarded to _internal

Reply

dstuder
Communicator
‎12-28-2018 11:10 AM

I see that in the forwarder app but I also see this in etc/system/default/input.conf which appears to be sending not only the .log files but also the rolled over log files such as .log.1, .log.2, etc.

[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-25-2014 04:10 PM

By default, universal and lightweight forwarders are not forwarding the metrics.log, only splunkd.log.

You can bypass this and force the metrics.log to be forwarded with an inputs.conf like

[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
index=_internal
_TCP_ROUTING = *
Reply

sowings
Splunk Employee
Splunk Employee
‎05-23-2014 12:08 PM

No, the metrics.log isn't forwarded automatically. Only the splunkd.log receives a special exception. If you look at the documentation for inputs.conf here, it says explicitly:


* To forward data from the "_internal" index, _TCP_ROUTING must explicitly be set to either "*"
or a specific splunktcp target group.

The splunkd.log has this setting, but the general directory $SPLUNK_HOME/var/log/splunk does not. You'll have to create a local inputs.conf (in a small config app, or in system/local) containing:


[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = *

Once this is in place, restart your forwarder.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...