Thanks, I tried I tried " index =_internal | stats count by host" but don't see the newly installed UF host name there. Then, I tried "./splunk add forward-server <host name or ip address>:<listeni...
See more...
Thanks, I tried I tried " index =_internal | stats count by host" but don't see the newly installed UF host name there. Then, I tried "./splunk add forward-server <host name or ip address>:<listening port>" but it says, it's already there. So, I removed both inputs.conf and outputs.conf and then tried the above command that created outputs.conf. Also, I readded inputs.conf manually and then restarted splunk without any success. I do see errors in splunkd.log on UF as shown below: TailReader [19453 tailreader0] - error from read call from '/var/log/message'. Maybe it's a permission issue.