I have a few hundred forwarders that are not indexing locally. I would like to centralize monitoring of splunkd logs. How can I tell those servers to forward events (or specific events like error messages) to the central indexer?
I also want to confirm that those logs don't count against the license, right?
Thanks.
Craig
You can check out for below link for forwarding all internal logs or specific index alone.
https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad#Forward_all_extern...
This will not count against the license usage
You can check out for below link for forwarding all internal logs or specific index alone.
https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad#Forward_all_extern...
This will not count against the license usage
You can add the following entry in etc/system/local/inputs.conf to forward logs to indexers.
[monitor://$SPLUNK_HOME/var/log/splunk/splunk.log] _TCP_ROUTING = * index = _internal
Yes, it does not count against the license.
Did anyone figure out how to confirm that they are not counting against the license? I'm not that bright and it's possible I set up my confs wrong so I want to make sure it's not counting against the license.
There were rumors that _TCP_ROUTING was not needed in the 4.1 world, but I can confirm that it's necessary. You can also monitor the whole directory- remove "/splunk.log" from the monitor stanza. In the 4.1 world, the _TCP_ROUTING was supposedly supplanted by adding "forwardedindex.filter.disable = FALSE" to outputs.conf. However, that doesn't fix it. So jkerai's solution is correct.
I just went through this misery yesterday!