Splunk® Universal Forwarder

Forwarder Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Start the universal forwarder

After you install the universal forwarder, you must start it before it can forward data. If you make changes to the forwarder configuration using either files or the CLI, you must start (or restart) the forwarder in most cases.

Commands for starting the universal forwarder

The following commands use environment variables that might not be automatically set on your machine. The environment variables represent where the universal forwarder has been installed on the machine. See Change default values in the Admin Manual to learn how to set these environment variables.

Run the following commands to start the universal forwarder at any time. If this is the first time the forwarder has started, and you have not included parameters to avoid prompts or automatically accept the license agreement, the forwarder performs the following:

  • Prompts you to accept the license agreement. You must read and accept it to continue.
  • Prompts you to create an administrator password. The password you create must meet eligibility requirements.
  • If you want to start the universal forwarder, run this command.
    Unix Windows
    cd $SPLUNK_HOME/bin
    ./splunk start
    cd %SPLUNK_HOME%\bin
    .\splunk start
  • If you want to accept the license agreement without reviewing it when you start the forwarder for the first time, run this command.
    Unix Windows
    cd $SPLUNK_HOME/bin
    ./splunk start --accept-license
    cd %SPLUNK_HOME%\bin
    .\splunk start --accept-license
  • If you want to restart the forwarder after you make a configuration change, run this command. When you do, the forwarder first stops itself, then starts itself again.
    Unix Windows
    cd $SPLUNK_HOME/bin
    ./splunk restart
    cd %SPLUNK_HOME%\bin
    .\splunk restart

Configure the universal forwarder to start at boot time

See Configure Splunk Enterprise to start at boot time for the procedure.

The universal forwarder prompts for administrator credentials the first time you start it

When you start the forwarder for the first time under most conditions, it prompts you to create credentials for the Splunk administrator user. The following text appears:

    This appears to be your first time running this version of Splunk.
    
    Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
    Create credentials for the administrator account.
    Characters do not appear on the screen when you type in credentials.
    
    Please enter an administrator username:
  1. Type in the name you want to use for the administrator user. This is the user that you log into the universal forwarder with, not the user that you use to log into your machine or onto splunk.com. You can press Enter to use the default username of admin.
    The following text appears:
    Password must contain at least:
    * 8 total printable ASCII character(s).
    Please enter a new password:
  2. Type in the password that you want to assign to the user. The password must meet the requirements that the prompt displays.

See Create a secure administrator password in Securing Splunk for additional information about creating a secure password.

Last modified on 01 December, 2021
PREVIOUS
Deploy and run a universal forwarder inside a Docker container
  NEXT
Stop the universal forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters