Splunk Enterprise

How do I enable the _internal index to be forwarded?

jambajuice
Communicator

I have a few hundred forwarders that are not indexing locally. I would like to centralize monitoring of splunkd logs. How can I tell those servers to forward events (or specific events like error messages) to the central indexer?

I also want to confirm that those logs don't count against the license, right?

Thanks.

Craig

Tags (1)
1 Solution

bpadmanbhachari
Splunk Employee
Splunk Employee

You can check out for below link for forwarding all internal logs or specific index alone.
https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad#Forward_all_extern...

This will not count against the license usage

View solution in original post

bpadmanbhachari
Splunk Employee
Splunk Employee

You can check out for below link for forwarding all internal logs or specific index alone.
https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad#Forward_all_extern...

This will not count against the license usage

jkerai
Splunk Employee
Splunk Employee

You can add the following entry in etc/system/local/inputs.conf to forward logs to indexers.

[monitor://$SPLUNK_HOME/var/log/splunk/splunk.log]
_TCP_ROUTING = * 
index = _internal

Yes, it does not count against the license.

sloshburch
Splunk Employee
Splunk Employee

Did anyone figure out how to confirm that they are not counting against the license? I'm not that bright and it's possible I set up my confs wrong so I want to make sure it's not counting against the license.

0 Karma

tedder
Communicator

There were rumors that _TCP_ROUTING was not needed in the 4.1 world, but I can confirm that it's necessary. You can also monitor the whole directory- remove "/splunk.log" from the monitor stanza. In the 4.1 world, the _TCP_ROUTING was supposedly supplanted by adding "forwardedindex.filter.disable = FALSE" to outputs.conf. However, that doesn't fix it. So jkerai's solution is correct.

I just went through this misery yesterday!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...