How to forward data to Splunk Enterprise
The most common way to use the universal forwarder is to send data to a Splunk Enterprise indexer or indexer cluster.
You can also forward data to Splunk Enterprise from heavy and light forwarders. See Enable forwarding on a Splunk Enterprise instance in the Splunk Enterprise Forwarding Data Manual for details.
- Configure receiving on a Splunk Enterprise instance or cluster.
- Download and install the universal forwarder.
- Start the universal forwarder and accept the license agreement. Some installers do this for you.
- (Optional) Change the credentials on the universal forwarder from their defaults.
- Configure the universal forwarder to send data to the Splunk Enterprise instance.
- (Optional) Configure the universal forwarder to act as a deployment client.
- Configure the universal forwarder to collect data from the host it is on.
After you set up forwarding, you can perform these advanced, optional steps for increased security and data reliability.
- Configure the forwarder to send data between multiple indexers. See Configure load balancing.
- Configure a forwarder to send data to an indexer that is behind a proxy server. See Configure a forwarder to use a SOCKS proxy.
- Configure an intermediate forwarding tier, where forwarders send data to other forwarders that then send data to receiving indexers. See Configure an intermediate forwarder.
- Configure an indexer to acknowledge data that it has received before it accepts more. See Protect against the loss of in-flight data.
- Control how forwarders access indexers with tokens. See Control forwarder access.
Configure receiving on Splunk Enterprise
You must configure a Splunk Enterprise indexer to receive data before you can send data to it. If you do not do this, data does not go anywhere.
See Enable a receiver to configure a Splunk Enterprise indexer to receive data.
Download and install the universal forwarder
If you have not downloaded the universal forwarder, do so now.
You must select the correct type of forwarder for your operating system. Splunk provides a universal forwarder for many operating systems. See the following topics for specific installation instructions:
- Install a nix universal forwarder for installation on *nix operating systems.
- Install a Windows universal forwarder from an installer for installation on various Windows operating systems.
Start the universal forwarder
Before the universal forwarder can accept configurations and forward data, it must be started.
The Windows and Mac OS X universal forwarder installation packages let you view and accept the license agreement and start the universal forwarder automatically. For other installation packages, you must start the universal forwarder and accept the license agreement from the command line.
See Start the universal forwarder to learn how to start the universal forwarder, whether it is the first time or after you have made configuration changes.
Configure the universal forwarder to send data to the Splunk Enterprise indexer
Before the universal forwarder can send data to Splunk Enterprise, you must configure it with the Splunk Command Line Interface (CLI).
This procedure details a basic configuration. For additional configuration options, see Configure the universal forwarder.
- From a command or shell prompt on the universal forwarder, go to the
- Specify the host name or ip address of the Splunk Enterprise receiver.
./splunk add forward-server <host>:<port>
.\splunk add forward-server <host>:<port>
hostis the name or IP address of the Splunk Enterprise host that should receive the data.
portis the TCP port that you configured in Enable a receiver in this manual.
The instance confirms your credentials before adding the forwarding host:
./splunk add forward-server splunkaday-linux-light:8999 Added forwarding to: splunkaday-linux-light:8999.
Configure the universal forwarder as a deployment client
When you configure the universal forwarder as a deployment client, you can control configuration of the universal forwarder from a central place. You can use Splunk Web to configure things such as what configurations a forwarder gets, what add-ons it receives, and what data it collects.
Before you can deploy configurations to a universal forwarder with a deployment server, you must configure it to connect to the deployment server. Every Splunk Enterprise indexer can be a deployment server, and the deployment server automatically activates when a universal forwarder connects to the indexer management port. The forwarder then becomes a deployment client.
- From a command or shell prompt on the universal forwarder, go to the
- Specify the host name or IP address of the deployment server.
./splunk set deploy-poll <host>:<port>
.\splunk set deploy-poll <host>:<port>
hostis the name or IP address of the deployment server.
portis the management port of the deployment server. It defaults to
Configure the universal forwarder to send data to Splunk Enterprise
You can collect data on the universal forwarder using several methods.
Define inputs on the universal forwarder with the CLI
You can use the CLI to define inputs on the universal forwarder. After you define the inputs, the universal forwarder collects data based on those definitions as long as it has access to the data that you want to monitor.
For example, to define a Windows event log input on a Windows version of the universal forwarder:
.\splunk enable eventlog System
To define a file monitor input against the /var/log/messages file on a *nix host:
./splunk add monitor /var/log/messages
For more examples of using the CLI to add inputs, see the data ingestion topics in the Splunk Enterprise Getting Data In’’ manual.
Define inputs on the universal forwarder with configuration files
If the input you want to configure does not have a CLI argument for it, you can configure inputs with configuration files.
- Using a command or shell prompt, navigate to the universal forwarder configuration directory.
- Create an inputs.conf file in this directory.
- Edit the file by adding stanzas to
For example, to add the Windows Security, Application, and System event logs to a monitoring stanza on the universal forwarder.
# Windows platform specific input processor. [WinEventLog://Application] disabled = 0 [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0
To monitor Apache log files:
[monitor:///apache/*.log] disabled = 0
For more examples of using configuration files to define inputs, see Monitor files and directories with inputs.conf in Getting Data In.
Install an add-on into the universal forwarder
- Stop the universal forwarder.
- Download the add-on from Splunkbase, if you have not already.
- Install the add-on into the universal forwarder.
tar xvzf /path/to/add-on.tgz -C $SPLUNK_HOME/etc/apps
No Windows equivalent of
tar, use WinZip or another archive utility to unarchive the application into the %SPLUNK_HOME%\etc\apps folder
- (Optional) Configure the add-on on the forwarder by editing configuration files or running scripts included with the add-on.
- Restart the universal forwarder.
How to forward data to Splunk Cloud
Enable a receiver
This documentation applies to the following versions of Splunk® Universal Forwarder: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2