Splunk® Universal Forwarder

Forwarder Manual

Download manual as PDF

Download topic as PDF

How to forward data to Splunk Enterprise

The most common way to use the universal forwarder is to send data to a Splunk Enterprise indexer or indexer cluster.

You can also forward data to Splunk Enterprise from heavy and light forwarders. See Enable forwarding on a Splunk Enterprise instance in the Splunk Enterprise Forwarding Data Manual for details.

  1. Configure receiving on a Splunk Enterprise instance or cluster.
  2. Download and install the universal forwarder.
  3. Start the universal forwarder and accept the license agreement. Some installers do this for you.
  4. (Optional) Change the credentials on the universal forwarder from their defaults.
  5. Configure the universal forwarder to send data to the Splunk Enterprise instance.
  6. (Optional) Configure the universal forwarder to act as a deployment client.
  7. Configure the universal forwarder to collect data from the host it is on.

After you set up forwarding, you can perform these advanced, optional steps for increased security and data reliability.

Configure receiving on Splunk Enterprise

You must configure a Splunk Enterprise indexer to receive data before you can send data to it. If you do not do this, data does not go anywhere.

See Enable a receiver to configure a Splunk Enterprise indexer to receive data.

Download and install the universal forwarder

If you have not downloaded the universal forwarder, do so now.

You must select the correct type of forwarder for your operating system. Splunk provides a universal forwarder for many operating systems. See the following topics for specific installation instructions:

Start the universal forwarder

Before the universal forwarder can accept configurations and forward data, it must be started.

The Windows and Mac OS X universal forwarder installation packages let you view and accept the license agreement and start the universal forwarder automatically. For other installation packages, you must start the universal forwarder and accept the license agreement from the command line.

See Start the universal forwarder to learn how to start the universal forwarder, whether it is the first time or after you have made configuration changes.

Configure the universal forwarder to send data to the Splunk Enterprise indexer

Before the universal forwarder can send data to Splunk Enterprise, you must configure it with the Splunk Command Line Interface (CLI).

This procedure details a basic configuration. For additional configuration options, see Configure the universal forwarder.

  1. From a command or shell prompt on the universal forwarder, go to the $SPLUNK_HOME/bin directory.
    Unix Windows
    cd $SPLUNK_HOME/bin cd %SPLUNK_HOME%\bin
  2. Specify the host name or ip address of the Splunk Enterprise receiver.
    Unix Windows
    ./splunk add forward-server <host>:<port> .\splunk add forward-server <host>:<port>

    host is the name or IP address of the Splunk Enterprise host that should receive the data.
    port is the TCP port that you configured in Enable a receiver in this manual.

The instance confirms your credentials before adding the forwarding host:

./splunk add forward-server splunkaday-linux-light:8999
Added forwarding to: splunkaday-linux-light:8999.

Configure the universal forwarder as a deployment client

When you configure the universal forwarder as a deployment client, you can control configuration of the universal forwarder from a central place. You can use Splunk Web to configure things such as what configurations a forwarder gets, what add-ons it receives, and what data it collects.

Before you can deploy configurations to a universal forwarder with a deployment server, you must configure it to connect to the deployment server. Every Splunk Enterprise indexer can be a deployment server, and the deployment server automatically activates when a universal forwarder connects to the indexer management port. The forwarder then becomes a deployment client.

  1. From a command or shell prompt on the universal forwarder, go to the $SPLUNK_HOME/bin directory.
    Unix Windows
    cd $SPLUNK_HOME/bin cd %SPLUNK_HOME%\bin
  2. Specify the host name or IP address of the deployment server.
    Unix Windows
    ./splunk set deploy-poll <host>:<port> .\splunk set deploy-poll <host>:<port>

    host is the name or IP address of the deployment server.
    port is the management port of the deployment server. It defaults to 8089.

Configure the universal forwarder to send data to Splunk Enterprise

You can collect data on the universal forwarder using several methods.

Define inputs on the universal forwarder with the CLI

You can use the CLI to define inputs on the universal forwarder. After you define the inputs, the universal forwarder collects data based on those definitions as long as it has access to the data that you want to monitor.

For example, to define a Windows event log input on a Windows version of the universal forwarder:

.\splunk enable eventlog System

To define a file monitor input against the /var/log/messages file on a *nix host:

./splunk add monitor /var/log/messages

For more examples of using the CLI to add inputs, see the data ingestion topics in the Splunk Enterprise Getting Data In’’ manual.

Define inputs on the universal forwarder with configuration files

If the input you want to configure does not have a CLI argument for it, you can configure inputs with configuration files.

  1. Using a command or shell prompt, navigate to the universal forwarder configuration directory.
    Unix Windows
    cd $SPLUNK_HOME/etc/system/local cd %SPLUNK_HOME%\etc\system\local
  2. Create an inputs.conf file in this directory.
  3. Edit the file by adding stanzas to inputs.conf.
    For example, to add the Windows Security, Application, and System event logs to a monitoring stanza on the universal forwarder.
    # Windows platform specific input processor.
    [WinEventLog://Application]
    disabled = 0 
    
    [WinEventLog://Security]
    disabled = 0 
    
    [WinEventLog://System]
    disabled = 0 
    

    To monitor Apache log files:

    [monitor:///apache/*.log]
    disabled = 0
    

For more examples of using configuration files to define inputs, see Monitor files and directories with inputs.conf in Getting Data In.

Install an add-on into the universal forwarder

  1. Stop the universal forwarder.
    Unix Windows
    cd $SPLUNK_HOME/bin
    ./splunk stop
    cd %SPLUNK_HOME%\bin
    .\splunk stop
  2. Download the add-on from Splunkbase, if you have not already.
  3. Install the add-on into the universal forwarder.
    Unix Windows
    tar xvzf /path/to/add-on.tgz -C $SPLUNK_HOME/etc/apps No Windows equivalent of tar, use WinZip or another archive utility to unarchive the application into the %SPLUNK_HOME%\etc\apps folder
  4. (Optional) Configure the add-on on the forwarder by editing configuration files or running scripts included with the add-on.
  5. Restart the universal forwarder.
PREVIOUS
How to forward data to Splunk Cloud
  NEXT
Enable a receiver

This documentation applies to the following versions of Splunk® Universal Forwarder: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters