Hello Splunkers,
Correct me if I'm wrong but it seems that when you install Splunk UF on a machine, some logs of the machine (specifically located in $SPLUNK_HOME/var/log) will be forwarded by default. For instance I see some default settings here /opt/splunkforwarder/etc/system/default/inputs.conf :
There is also similar config in this path : /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf
I am wondering about the effects of _TCP_ROUTING = *
Does it mean that those monitored paths will be sent to all tcp group defined in the outputs.conf files of my machine ? What would be the purpose of that ? Would you have a clean way to override that kind of config to send _internal logs only to one particular TCP group ?
Thanks for your time,
GaetanVP
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
* To forward data from the "_internal" index, you must explicitly set
'_TCP_ROUTING' to either "*" or a specific splunktcp target group.
So it's a default setting so that the _internal index data does get sent out. You can of course overwrite it on a per-input level using config file precedence (https://docs.splunk.com/Documentation/Splunk/9.1.0/Admin/Wheretofindtheconfigurationfiles).