Splunk® Universal Forwarder

Forwarder Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Make a universal forwarder part of a host image

You can deploy a universal forwarder as part of a host image or virtual machine. This is particularly useful if you have a large number of universal forwarders to deploy. If you have just a few, you might find it simpler to install them manually, as described for Windows and nix hosts.

Steps to deployment

Once you have downloaded the universal forwarder and have planned your deployment, perform these steps:

1. Install the universal forwarder on a test machine.

2. Perform any post-installation configuration.

3. Test and tune the deployment.

4. Install the universal forwarder with the tested configuration onto a source machine.

5. Stop the universal forwarder.

6. Run this CLI command on the forwarder:

./splunk clone-prep-clear-config

This clears instance-specific information, such as the server name and GUID, from the forwarder. This information will then be configured on each cloned forwarder at initial start-up.

7. Prepare your image or virtual machine, as necessary, for cloning.

8. On *nix systems, set the splunkd daemon to start on boot using cron or your scheduling system of choice. On Windows, set the service to Automatic but do not start it.

9. Distribute the system image or virtual machine clones to machines across your environment and start them.

10. Confirm that forwarders have connected to the indexers you specified during forwarder setup.

Referenced procedures

Steps in the above deployment procedure reference these subtopics.

Install the universal forwarder

Install the universal forwarder using the procedure specific to your operating system:

If you do not want the universal forwarder to start on a Windows host after installation, install from the command line . Using the proper command line flags, you can configure the universal forwarder so that it does not start on the source machine when installed but does start automatically on the clones, once they're activated.

At the time of installation, you can also configure the universal forwarder. See Configure the universal forwarder.

Perform additional configuration

You can update your universal forwarder's configuration, post-installation, by directly editing its configuration files, such as inputs.conf and outputs.conf. See Configure the universal forwarder.

For information on distributing configuration changes across multiple universal forwarders, see "About deployment server" in the Updating Splunk Enterprise Instances manual.

Test the deployment

Test your configured universal forwarder on a single machine, to make sure it functions correctly, before deploying the universal forwarder across your environment. When testing the deployment, ask these questions:

1. Do the data inputs that you configured in the forwarder collect the data you want?

If they don't:

  • Check the inputs.conf on the forwarder and confirm that the input stanzas are correct. For example, if you want to configure monitoring a file, confirm that the inputs.conf on the forwarder references that file.
  • Confirm that the stanza that references the file is not disabled (look for 'disabled = 1' in the stanza.)

2. Does the forwarder send the data you expect to the place you expect it?

If it doesn't:

  • Confirm that the outputs.conf on the forwarder has been correctly configured. The outputs.conf file should reference a receiving indexer that the forwarder can access over the network via a host name or IP address and port that you specify.
  • Confirm that no firewall blocks network traffic on the ports you specify on both the forwarder and receiver.
  • Confirm that the ports you specify on the forwarder and receiver are the same, as they must be for forwarding to occur. For example, if you specify port 9997 as the receiving port on the indexer, you must specify this same port as the target in the outputs.conf configuration on the forwarder.
  • Use the Search page on the receiving indexer to confirm that you see events that you configured on the forwarder.
Last modified on 01 December, 2021
Install a *nix universal forwarder remotely with a static configuration
Deploy and run a universal forwarder inside a Docker container

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters