Start the universal forwarder
After you install the universal forwarder, you must start it before it can forward data. If you make changes to the forwarder configuration using either files or the CLI, you must start (or restart) the forwarder in most cases.
Commands for starting the universal forwarder
The following commands use environment variables that might not be automatically set on your machine. The environment variables represent where the universal forwarder has been installed on the machine. See Change default values in the Admin Manual to learn how to set these environment variables.
Run the following commands to start the universal forwarder at any time. If this is the first time the forwarder has started, and you have not included parameters to avoid prompts or automatically accept the license agreement, the forwarder performs the following:
- Prompts you to accept the license agreement. You must read and accept it to continue.
- Prompts you to create an administrator password. The password you create must meet eligibility requirements.
- If you want to start the universal forwarder, run this command.
- If you want to accept the license agreement without reviewing it when you start the forwarder for the first time, run this command.
./splunk start --accept-license
.\splunk start --accept-license
- If you want to restart the forwarder after you make a configuration change, run this command. When you do, the forwarder first stops itself, then starts itself again.
Configure the universal forwarder to start at boot time
The procedure for configuring the universal forwarder to start when the machine starts is the same as for Splunk Enterprise, with the universal forwarder installation directory being the only difference. See Configure Splunk Enterprise to start at boot time for the procedure.
The universal forwarder prompts for administrator credentials the first time you start it
When you start the forwarder for the first time under most conditions, it prompts you to create credentials for the Splunk administrator user. The following text appears:
- Type in the name you want to use for the administrator user. This is the user that you log into the universal forwarder with, not the user that you use to log into your machine or onto splunk.com. You can press Enter to use the default username of
admin. The following text then appears:
Password must contain at least: * 8 total printable ASCII character(s). Please enter a new password:
- Type in the password that you want to assign to the user. The password must meet the requirements that the prompt displays.
This appears to be your first time running this version of Splunk. Create credentials for the administrator account. Characters do not appear on the screen when you type the password. Please enter an administrator username:
See Create a secure administrator password in Securing Splunk for additional information about creating a secure password.
Deploy and run a universal forwarder inside a Docker container
Stop the universal forwarder
This documentation applies to the following versions of Splunk® Universal Forwarder: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0, 8.0.1