Community:ForwarderInternalLogs

From Splunk Wiki

Jump to: navigation, search

The Splunk internal logs are no longer automatically included in events sent from a forwarder to the indexer. If you want to have the forwarder's internal logs in the _internal index on the indexer, add this stanza to the forwarder's inputs.conf:

[monitor://$SPLUNK_HOME/var/log/splunk] 
index = _internal 
_TCP_ROUTING = * 
_whitelist = /(audit|license_audit|metrics|splunkd|splunkd_stderr|splunkd_stdout|splunklogger)\.log$ 

Modify as appropriate for the path if necessary. On Windows hosts, replace '/' with '\' Windows path separators.

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk