Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Forwarder logs to Splunk Indexer

ssankeneni
Communicator
‎04-17-2013 01:58 PM

Do SplunkForwarder forward the metrics.log to the Splunk indexer automatically? I can see the splunkd.log files but not metrics.log file

Tags (2)
0 Karma
Reply

sbrice36
Explorer
‎05-04-2015 11:49 AM

This must have been updated with 6.2.1/6.2.2, I now see the following entry by default in "etc\apps\SplunkUniversalForwarder\default"

[monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]
_TCP_ROUTING = *
index = _internal

So both splunkd.log and metrics.log are now being forwarded to _internal

Reply

dstuder
Communicator
‎12-28-2018 11:10 AM

I see that in the forwarder app but I also see this in etc/system/default/input.conf which appears to be sending not only the .log files but also the rolled over log files such as .log.1, .log.2, etc.

[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-25-2014 04:10 PM

By default, universal and lightweight forwarders are not forwarding the metrics.log, only splunkd.log.

You can bypass this and force the metrics.log to be forwarded with an inputs.conf like

[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
index=_internal
_TCP_ROUTING = *
Reply

sowings
Splunk Employee
Splunk Employee
‎05-23-2014 12:08 PM

No, the metrics.log isn't forwarded automatically. Only the splunkd.log receives a special exception. If you look at the documentation for inputs.conf here, it says explicitly:


* To forward data from the "_internal" index, _TCP_ROUTING must explicitly be set to either "*"
or a specific splunktcp target group.

The splunkd.log has this setting, but the general directory $SPLUNK_HOME/var/log/splunk does not. You'll have to create a local inputs.conf (in a small config app, or in system/local) containing:


[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = *

Once this is in place, restart your forwarder.

Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...