I really appreciate it！ finally I achieved my goal. index="my_unix_index" Oct 12 09:37:27 SPLUNK-UF OneApp[1579]: [notice] 2022/10/12 09:37:27 1665535047.3298 uid=tx_pt999 domain=local level=notice code=54201 message=OneApp Authentication succeeded. host_ip=192.168.0.52 client_ip=192.168.0.5 client_ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 client_cookie= admin_id= host = SPLUNK-UF | source = /var/log/messages | sourcetype = unix_messages ... View more

Thanks for following me. I tried: <<< server side >>> # $SPLUNK_HOME/bin/splunk add index my_unix_index <<<   UF side   >>> # $SPLUNK_HOME/bin/splunk remove monitor /var/log/messages # $SPLUNK_HOME/bin/splunk add monitor /var/log/messages -sourcetype unix_messages -index my_unix_index # cat $SPLUNK_HOME/etc/system/local/props.conf [unix_messages] force_local_processing = true SEDCMD-notab = s/\x09/ /g # # $SPLUNK_HOME/bin/splunk restart then Result is: Oct 11 22:37:32 SPLUNK-UF OneApp[3007]: [notice] 2022/10/11 22:37:32\x091665495452.2401\x09uid=tx_pt999\x09domain=local\x09level=notice\x09code=54201\x09message=OneApp Authentication succeeded.\x09host_ip=192.168.0.52\x09client_ip=192.168.0.5\x09client_ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36\x09client_cookie=\x09admin_id= 　host = SPLUNK-UF source = /var/log/messages sourcetype = unix_messages What settings am I missing? ... View more

Thank you for your answer.   I tried it. But , nothing changed on the Splunk Server side.  Oct 11 16:47:17 SPLUNK-UF OneApp[2417]: [notice] 2022/10/11 16:47:17\x091665474437.6657\x09uid=user999\x09domain=local\x09level=notice\x09code=54201\x09message=OneApp Authentication succeeded.\x09host_ip=192.168.0.52\x09client_ip=192.168.0.5\x09client_ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36\x09client_cookie=\x09admin_id=   I installed UF as follows: # export SPLUNK_HOME="/opt/splunkforwarder" # vi .bash_profile # mkdir $SPLUNK_HOME # tar xvzf splunkforwarder-9.0.1-82c987350fde-Linux-x86_64.tgz -C /opt # useradd -m splunk # passwd splunk # chown -R splunk:splunk $SPLUNK_HOME # $SPLUNK_HOME/bin/splunk start --accept-license # $SPLUNK_HOME/bin/splunk stop # $SPLUNK_HOME/bin/splunk disable boot-start # $SPLUNK_HOME/bin/splunk enable boot-start -systemd-managed 1 # $SPLUNK_HOME/bin/splunk start # $SPLUNK_HOME/bin/splunk add forward-server 192.168.0.51:9997 # $SPLUNK_HOME/bin/splunk add monitor /var/log/messages # $SPLUNK_HOME/bin/splunk restart   Currently there are only three files in the "$SPLUNK_HOME/etc/system/local" folder: I don't know what to do. What additional settings are required? # ls $SPLUNK_HOME/etc/system/local README outputs.conf props.conf server.conf # # cat $SPLUNK_HOME/etc/system/local/outputs.conf [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 192.168.0.51:9997 [tcpout-server://192.168.0.51:9997] # # cat $SPLUNK_HOME/etc/system/local/server.conf [general] serverName = SPLUNK-UF pass4SymmKey = *** [sslConfig] sslPassword = *** [lmpool:auto_generated_pool_forwarder] description = auto_generated_pool_forwarder peers = * quota = MAX stack_id = forwarder [lmpool:auto_generated_pool_free] description = auto_generated_pool_free peers = * quota = MAX stack_id = free # # cat $SPLUNK_HOME/etc/system/local/props.conf [mysourcetype] force_local_processing = true SEDCMD-notab = s/\x09/ /g # ... View more

Thank you for your answer. Since I am a beginner, it will take some time to report the results. I'll test it. ... View more