Splunk® Universal Forwarder

Forwarder Manual

Configure the universal forwarder using configuration files

Optionally edit the Universal forwarder configuration files to further modify how your machine data is streamed to your indexers. See the following steps:

  1. Find the configuration files.
  2. Edit the configuration files.
  3. Restart the universal forwarder.

Find the configuration files

Navigate to outputs.conf in $SPLUNK_HOME/etc/system/local/ to locate your Universal Forwarder configuration files.

Key configuration files:

Edit the configuration files

You can edit them however you normally edit files, such as through a text editor or the command line, or you can use the Splunk Deployment Server.

When you make configuration changes with the CLI, the universal forwarder writes the configuration files. This prevents typos and other mistakes that can occur when you edit configuration files directly.

The forwarder writes configurations for forwarding data to outputs.conf in $SPLUNK_HOME/etc/system/local/).

Edit the configuration files through the command line

You can choose to edit the configuration files through the command line. For more details on using the CLI in general, see Administer Splunk Enterprise with the CLI in the Splunk Enterprise Admin Manual.

The general syntax for a CLI command is:

./splunk <command> [<object>] [[-<parameter>] <value>]...

See the following examples of using the command line to edit configuration files:

Configure the universal forwarder to connect to a receiving indexer

From a shell or command prompt on the forwarder, run the command:

./splunk add forward-server <host name or ip address>:<listening port>

For example, to connect to the receiving indexer with the hostname idx.mycompany.com and that host listens on port 9997 for forwarders, type in:

./splunk add forward-server idx1.mycompany.com:9997

Configure the universal forwarder to connect to a deployment server

From a shell or command prompt on the forwarder, run the command:

./splunk set deploy-poll <host name or ip address>:<management port>

For example, if you want to connect to the deployment server with the hostname ds1.mycompany.com on the default management port of 8089, type in:

./splunk set deploy-poll ds1.mycompany.com:8089

Configure a data input on the forwarder

The Splunk Enterprise Getting Data In manual has information on what data a universal forwarder can collect.

1. Determine what data you want to collect.

2. From a shell or command prompt on the forwarder, run the command that enables that data input. For example, to monitor the /var/log directory on the host with the universal forwarder installed, type in:

./splunk add monitor /var/log

The forwarder asks you to authenticate and begins monitoring the specified directory immediately after you log in.

Last modified on 22 July, 2023
Enable a receiver for the Splunk Cloud Platform   Start or stop the universal forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters