Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Default behavior of Splunk internal logs

GaetanVP
Contributor
‎07-14-2023 02:47 AM

Hello Splunkers,

Correct me if I'm wrong but it seems that when you install Splunk UF on a machine, some logs of the machine (specifically located in  $SPLUNK_HOME/var/log) will be forwarded by default. For instance I see some default settings here  /opt/splunkforwarder/etc/system/default/inputs.conf :

GaetanVP_0-1689327749291.png

There is also similar config in this path : /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf

GaetanVP_1-1689327821474.png

I am wondering about the effects of _TCP_ROUTING = *

Does it mean that those monitored paths will be sent to all tcp group defined in the outputs.conf files of my machine ? What would be the purpose of that ? Would you have a clean way to override that kind of config to send _internal logs only to one particular TCP group ?

Thanks for your time,

GaetanVP

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2023 06:23 AM

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

* To forward data from the "_internal" index, you must explicitly set
  '_TCP_ROUTING' to either "*" or a specific splunktcp target group.

So it's a default setting so that the _internal index data does get sent out. You can of course overwrite it on a per-input level using config file precedence (https://docs.splunk.com/Documentation/Splunk/9.1.0/Admin/Wheretofindtheconfigurationfiles).

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...