Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Is there a possibility to send an internal log fro...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anyone please help me on this?
Is there any possibility to send universal forwarder internal logs to user specific index?
Thank you..!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AbilashSe,
Generally it is not best practice to send Internal logs to custom indexes but if you still want to send UF Internal logs to custom indexes then you can do below configuration in $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/local/inputs.conf
inputs.conf on Windows UF
[monitor://$SPLUNK_HOME\var\log\splunk\splunkd.log]
index = CUSTOM_INDEX_NAME
[monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]
index = CUSTOM_INDEX_NAME
inputs.conf on Linux UF
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
index = CUSTOM_INDEX_NAME
[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
index = CUSTOM_INDEX_NAME
Restart splunk on UF.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AbilashSe,
Generally it is not best practice to send Internal logs to custom indexes but if you still want to send UF Internal logs to custom indexes then you can do below configuration in $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/local/inputs.conf
inputs.conf on Windows UF
[monitor://$SPLUNK_HOME\var\log\splunk\splunkd.log]
index = CUSTOM_INDEX_NAME
[monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]
index = CUSTOM_INDEX_NAME
inputs.conf on Linux UF
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
index = CUSTOM_INDEX_NAME
[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
index = CUSTOM_INDEX_NAME
Restart splunk on UF.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @harsmarvania57 ,
Thank you for your help..!!
We arent going to jmplement this in UF, but i just wanted to get idea on this.
Regards,
Abilash
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can we have an use case, why you would like to put it in custom index because Internal logs going to Internal indexes such as _internal , _introspection and those does not count against splunk license.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @harsmarvania57 ,
We have installed Splunk UF in one of my VM and i just wanted to forward the Splunk internal logs to my index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can think of two off the top of my head
i want to keep forwarder logs for a different retention period than core Splunk internal logs
OR
I want forwarder logs to be on a cheaper disk than core Splunk internal logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can increase the retention of the internal index
you can also play with volumes and have colddb on separate volume that maps to a cheaper disk.
also seen user summarizing some of the data that is important to them to a summary index and keep retention that way
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
