Splunk forwarder

kajalchopade071 · ‎03-01-2022

How to check inputs.conf file to see the how the log files are being sent to splunk.

How to check forwarder is running and moved data to splunk index?

gcusello · ‎03-02-2022

you can check if a Forwarder is running searching in _internal index, something like this:

index=_internal host=your_host

if you have results, Forwarder is up and running.

To check if a Forwarder is sending a kind of logs, you have to do the same thing in the index containing the logs to check.

if you have many hosts to monitor, you have to create a lookup (called e.g. perimeter.csv), containing all the hosts to monitor (e.g. in a column called host) and run a little more comples search:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

Splunk forwarder

heavy forwarder

inputs.conf

intermediate forwarder

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation

Splunk forwarder

heavy forwarder

inputs.conf

intermediate forwarder

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026