Set up inputs on a forwarder the same way you set them up on a Splunk Enterprise indexer. The only difference is that the forwarder does not include Splunk Web, so you must configure inputs with either the CLI or
inputs.conf. Before setting up the inputs, you need to deploy and configure the forwarder, as this recipe describes.
To use forwarders, specifically universal forwarders, for getting remote data, you need to set up a forwarder-receiver topology, as well as configure the data inputs:
1. Install Splunk Enterprise instances as receivers. See the Installation manual.
2. Use Splunk Web or the CLI to enable receiving on those instances. See "Enable a receiver" in the Forwarding Data manual.
3. Set up one of the receiving Splunk Enterprise instances as a deployment server. See "Plan a deployment" in the Updating Splunk Enterprise Instances manual.
4. Deploy at least one app to the deployment server by placing the app into the
$SPLUNK_HOME/etc/deployment_apps directory. See "Create deployment apps" in the Updating Splunk Enterprise Instances manual.
5. Install, configure, and deploy the forwarders. During configuration:
Note: Depending on your forwarding needs, there are a number of best practice deployment scenarios. See "Universal forwarder deployment overview" in the Forwarding Data manual. Some of these scenarios allow you to configure the forwarder during the installation process.
6. Use Forwarder Management to deploy data input configurations to each universal forwarder. See "Forward Data" in this manual.
7. Test the results to confirm that forwarding, along with any configured behaviors like load balancing or filtering, is occurring as expected. Go to the receiver to search the resulting data.
Troubleshoot the input process
Files and directories - local
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13