Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I enable the _internal index to be forwarded?

jambajuice
Communicator
‎01-14-2011 10:03 PM

I have a few hundred forwarders that are not indexing locally. I would like to centralize monitoring of splunkd logs. How can I tell those servers to forward events (or specific events like error messages) to the central indexer?

I also want to confirm that those logs don't count against the license, right?

Thanks.

Craig

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

bpadmanbhachari
Splunk Employee
Splunk Employee
‎04-30-2019 03:23 AM

You can check out for below link for forwarding all internal logs or specific index alone.
https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad#Forward_all_extern...

This will not count against the license usage

View solution in original post

Reply
Solved! Jump to solution
Solution

bpadmanbhachari
Splunk Employee
Splunk Employee
‎04-30-2019 03:23 AM

You can check out for below link for forwarding all internal logs or specific index alone.
https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad#Forward_all_extern...

This will not count against the license usage

Reply
Solved! Jump to solution

jkerai
Splunk Employee
Splunk Employee
‎01-14-2011 10:51 PM

You can add the following entry in etc/system/local/inputs.conf to forward logs to indexers.

[monitor://$SPLUNK_HOME/var/log/splunk/splunk.log]
_TCP_ROUTING = * 
index = _internal

Yes, it does not count against the license.

Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎02-19-2013 09:10 AM

Did anyone figure out how to confirm that they are not counting against the license? I'm not that bright and it's possible I set up my confs wrong so I want to make sure it's not counting against the license.

0 Karma
Reply
Solved! Jump to solution

tedder
Communicator
‎01-14-2011 11:27 PM

There were rumors that _TCP_ROUTING was not needed in the 4.1 world, but I can confirm that it's necessary. You can also monitor the whole directory- remove "/splunk.log" from the monitor stanza. In the 4.1 world, the _TCP_ROUTING was supposedly supplanted by adding "forwardedindex.filter.disable = FALSE" to outputs.conf. However, that doesn't fix it. So jkerai's solution is correct.

I just went through this misery yesterday!

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...