Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure heavy forwarder _internal index forwarding?

mike_k
Path Finder
‎08-14-2022 05:33 PM

I have a single instance Splunk Enterprise deployment running on Linux. I have a bunch of data feeding into my indexer from a number of Universal Forwarders on the network. My indexer is both indexing this data and on-forwarding it to a Heavy Forwarder on my network. The Heavy Forwarder then forwards my log data off to a third party system. This has all been working well.

I am attempting to configure my Heavy Forwarder so that it forwards it's _internal logs back to my indexer but can't get it working.

In order to get the Heavy Forwarder forwarding _internal logs back to my Indexer, I created an app on the Heavy Forwarder /opt/splunk/etc/apps/forward_internal_back2_Indexer. Inside this app I placed the following files:
_____________________________________

default/inputs.conf
[monitor//$SPLUNK_HOME/var/log/splunk/splunkd.log/splunk/splunkd.log]
disabled=0
sourcetype=splunkd
index=_internal

[monitor//$SPLUNK_HOME/var/log/splunk/splunkd.log/splunk/metrics.log]
disabled=0
sourcetype=splunkd
index=_internal
_____________________________________

default/props.conf

[splunkd]
TRANSFORMS-routing=routeBack2Indexer
_____________________________________

default/transforms.conf
[routeBack2Indexer]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=HF_internallogs_to_indexer
_____________________________________

default/outputs.conf
[tcpout:HF_internallogs_to_indexer]
server = <ip_address_of_splunk_indexer>:9997
_____________________________________

Once I had done this I restart splunkd on the Heavy Forwarder, However I can't seem to see _internal logs coming back from my Heavy Forwarder host.

would appreciate some help, figuring out where I've gone wrong 🙂

Labels (1)
0 Karma
Reply

mike_k
Path Finder
‎08-18-2022 09:28 PM

@gcusellothanks for that. Will give that a go.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-19-2022 01:37 AM

Hi @mike_k,

ok, let me know.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-14-2022 11:16 PM

Hi @mike_k,

you already have an input (in $SPLUNK_HOME/etc/system/default) to take internal logs and Splunk doesn't permits to twice index a log.

So, as described at https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Route_inputs_to_s... try to copy inputs.conf from $SPLUNK_HOME/etc/system/default to $SPLUNK_HOME/etc/system/local and add 

_TCP_ROUTING = HF_internallogs_to_indexer

to the internal logs stanza (and obviously restart Splunk on HF).

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...