Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the Universal Forwarder indexing its own logs?

wvalente
Explorer
‎11-01-2018 07:40 AM

Guys.

I have many Universal Forwarders installed in the machines that send logs to one Heavy Forwarder.

This Heavy Forwarder sends log to my indexer.

I do not know why each universal forwarder is sending its own internal logs (splunkd, metrics, etc) and indexing this data. I do not want the internal logs from each universal forwarder.

I've tried to filter these logs in the heavy forwarder, but it's not working.

What can I do?

Thanks.

0 Karma
Reply

bcyates
Communicator
‎11-01-2018 08:35 AM

It is best practice to index _internal logs. Your Distributed Monitoring Console won't fully work without it and you won't really be able to remotely troubleshoot any problems on your UFs.

If you are worried about the amount of data in the index, just adjust frozenTimePeriodinSecs on those indexes so you don't hang on to them for too long

0 Karma
Reply

FrankVl
Ultra Champion
‎11-01-2018 07:45 AM

You can disable those inputs on the Universal Forwarder.

But usually these internal logs are considered very useful for monitoring the health of those instances and troubleshooting issues with data feeds, so I would highly recommend keeping them enabled actually.

Also: since this is going into _internal index, this is not counting against your license (if that is what you were worried about).

0 Karma
Reply
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...