Guys.
I have many Universal Forwarders installed in the machines that send logs to one Heavy Forwarder.
This Heavy Forwarder sends log to my indexer.
I do not know why each universal forwarder is sending its own internal logs (splunkd, metrics, etc) and indexing this data. I do not want the internal logs from each universal forwarder.
I've tried to filter these logs in the heavy forwarder, but it's not working.
What can I do?
Thanks.
↧