Splunk® Universal Forwarder

Forwarder Manual

Download manual as PDF

Download topic as PDF

Start the universal forwarder

After you install the universal forwarder, you must start it before it can forward data. If you make changes to the forwarder configuration using either files or the CLI, you must start (or restart) the forwarder in most cases.

Commands for starting the universal forwarder

The following commands use environment variables that might not be automatically set on your machine. The environment variables represent where the universal forwarder has been installed on the machine. See Change default values in the Admin Manual to learn how to set these environment variables.

Run the following commands to start the universal forwarder at any time. If this is the first time the forwarder has started, and you have not included parameters to avoid prompts or automatically accept the license agreement, the forwarder performs the following:

  • Prompts you to accept the license agreement. You must read and accept it to continue.
  • Prompts you to create an administrator password. The password you create must meet eligibility requirements.
  • If you want to start the universal forwarder, run this command.
    Unix Windows
    cd $SPLUNK_HOME/bin
    ./splunk start
    cd %SPLUNK_HOME%\bin
    .\splunk start
  • If you want to accept the license agreement without reviewing it when you start the forwarder for the first time, run this command.
    Unix Windows
    cd $SPLUNK_HOME/bin
    ./splunk start --accept-license
    cd %SPLUNK_HOME%\bin
    .\splunk start --accept-license
  • If you want to restart the forwarder after you make a configuration change, run this command. When you do, the forwarder first stops itself, then starts itself again.
    Unix Windows
    cd $SPLUNK_HOME/bin
    ./splunk restart
    cd %SPLUNK_HOME%\bin
    .\splunk restart

Configure the universal forwarder to start at boot time

The procedure for configuring the universal forwarder to start when the machine starts is the same as for Splunk Enterprise, with the universal forwarder installation directory being the only difference. See Configure Splunk Enterprise to start at boot time for the procedure.

The universal forwarder prompts for administrator credentials the first time you start it

When you start the forwarder for the first time under most conditions, it prompts you to create credentials for the Splunk administrator user. The following text appears:

    This appears to be your first time running this version of Splunk.
    
    Create credentials for the administrator account.
    Characters do not appear on the screen when you type the password.
    
    Please enter an administrator username:
  1. Type in the name you want to use for the administrator user. This is the user that you log into the universal forwarder with, not the user that you use to log into your machine or onto splunk.com. You can press Enter to use the default username of admin. The following text then appears:
    Password must contain at least:
    * 8 total printable ASCII character(s).
    Please enter a new password:
  2. Type in the password that you want to assign to the user. The password must meet the requirements that the prompt displays.

See Create a secure administrator password in Securing Splunk for additional information about creating a secure password.

PREVIOUS
Deploy and run a universal forwarder inside a Docker container
  NEXT
Stop the universal forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0, 8.0.1


Comments

Posting systemd documentation link (though with 7.3.0 forward, default behavior for enable boot-start is to use init.d, which avoids the systemd permissions fun):

https://docs.splunk.com/Documentation/Splunk/latest/Admin/RunSplunkassystemdservice#Additional_options_for_enable_boot-start

Pmurphy splunk, Splunker
July 9, 2019

IF start does not work - looks like on a raspberry pi /lib/ld-linux.so.3 is missing. Creating it with ln -s /lib/arm-linux-gnueabihf/ld-linux.so.3 /lib solved it.

@https://answers.splunk.com/answers/193453/forwarder-for-arm-optsplunkforwarderbinsplunk-no-s.html

Martinmadry
March 30, 2019

Hi SVarathan splunk,

The actual start process has not changed under systemd. I think what you are looking for here are instructions on how to configure a forwarder to start at boot time. It is the same process as when how you start Splunk Enterprise, and I will add a link to that topic from here.

Malmoore, Splunker
January 30, 2019

Can we update this to reflect the systemd unit?

Svarathan splunk, Splunker
January 14, 2019

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters