×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Kasee
New Member
Member since: ‎07-10-2023
‎07-10-2023
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-10-2023
Topics I've Started
No posts to display.
View All

Re: How to fix my universal forwarder configuratio...

by in Getting Data In
‎07-10-2023 09:05 AM
‎07-10-2023 09:05 AM
The default setting for the inputs.conf for the UF is a wildcard.  Change this to the default group in the local inputs.conf to override the setting. Pulled from the default inputs.conf for the UF: [monitor://$SPLUNK_HOME\var\log\splunk\splunkd.log]  _TCP_ROUTING = * index = _internal     [monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]  _TCP_ROUTING = * index = _internal  Add it in the local inputs.conf  and change it to what ever the default group is on the outputs.conf, based on what was put in the thread appears to be group_a:   [monitor://$SPLUNK_HOME\var\log\splunk\splunkd.log]  _TCP_ROUTING = group_a index = _internal     [monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]  _TCP_ROUTING = group_a index = _internal    This should eliminate the _internal logs from being forwarded to the 3rd Party system. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-10-2023 09:18 AM