Splunk® Universal Forwarder

Forwarder Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Enable a receiver for the Splunk Cloud Platform

A receiver is a Splunk component that you configure to listen on a specific network port for incoming data from a forwarder. This can include indexers, another forwarder, or Edge Processors.

A Splunk Cloud Platform receiving port is configured and enabled by default. You need to install and configure the Splunk Cloud Platform universal forwarder credentials package on your forwarders to access it. You can install the forwarder credentials on individual forwarders, or install the forwarder credentials on many forwarders using a deployment server. See the following options:

Alternatively, for enhanced data processing before routing the data to Splunk Cloud indexers, you can use the Edge Processor as a receiver for Splunk Cloud Platform. See About the Edge Processor Solution for more information.

Install the forwarder credentials on individual forwarders in *nix

  1. From your Splunk Cloud Platform instance, go to Apps > Universal Forwarder.
  2. Click Download Universal Forwarder Credentials.
  3. Note the location where the credentials package splunkclouduf.spl has been downloaded.
  4. Copy the file to a temporary directory, this is usually your "/tmp" folder.
  5. Install the splunkclouduf.spl app by entering the following in command line: $SPLUNK_HOME/bin/splunk install app /tmp/splunkclouduf.spl.
  6. When you are prompted for a user name and password, enter the user name and password for the Universal Forwarder. The following message displays if the installation is successful: App '/tmp/splunkclouduf.spl' installed.
  7. Restart the forwarder to enable the changes by entering the following command: ./splunk restart.

Install the forwarder credentials on many forwarders using a deployment server in *nix

  1. From your Splunk Cloud Platform instance, go to Apps > Universal Forwarder.
  2. Click Download Universal Forwarder Credentials.
  3. Note the location where the credentials file was downloaded. The credentials file is named splunkclouduf.spl.
  4. Copy the file to your system's temporary (/tmp) folder.
  5. (optional) Use file management tools to move the splunkclouduf.spl file to the $SPLUNK_HOME/etc/deployment-apps/ directory on the deployment server.
  6. In a shell or command prompt, unpack the credentials package by running the following command: 
    tar xvf splunkclouduf.spl
    .
  7. Navigate to the /bin subdirectory of the deployment server.
  8. Install the credentials package by running the following command: 
    splunk install app <'full path to splunkclouduf.spl'> -auth <username>:<password>
    where <"full path to splunkclouduf.spl"> is the path to the directory where the splunkclouduf.spl file is located and <username>:<password> are the username and password of an existing admin account on the deployment server.
  9. Restart the deployment server by running the following command: 
    /splunk restart
    .

Install the forwarder credentials on individual forwarders in Windows

  1. From your Splunk Cloud Platform instance, go to Apps > Universal Forwarder.
  2. Click Download Universal Forwarder Credentials.
  3. Note the location where the credentials file was downloaded. The credentials file is named %HOMEPATH%\Downloads.
  4. Copy the file to your system's temporary (\tmp) folder.
  5. Install the splunkclouduf.spl app by entering the following command: %SPLUNK_HOME%\bin\splunk.exe install app %HOMEPATH%\Downloads\splunkclouduf.spl.
  6. When you are prompted for a username and password, enter the username and password for the Universal Forwarder. The following message displays if the installation is successful: App %HOMEPATH%\Downloads\splunkclouduf.spl installed.
  7. Restart the forwarder to enable the changes by entering the following command. .\splunk.exe restart.

Install the forwarder credentials on many forwarders using a deployment server in Windows

  1. From your Splunk Cloud Platform instance, go to Apps > Universal Forwarder.
  2. Click Download Universal Forwarder Credentials.
  3. Note the location where the credentials file splunkclouduf.spl was downloaded.
  4. Copy the file to your system's temporary (\tmp) folder.
  5. (optional) Use file management tools to move the splunkclouduf.spl file to the $SPLUNK_HOME\etc\deployment-apps\ directory on the deployment server.
  6. In a shell or command prompt, unpack the credentials package by running the following command: 
    tar xvf splunkclouduf.spl
    .
  7. Navigate to the \bin subdirectory of the deployment server.
  8. Install the credentials package by running the following command: 
    splunk install app <"full path to splunkclouduf.spl"> -auth <username>:<password>
    where <"full path to splunkclouduf.spl"> is the path to the directory where the splunkclouduf.spl file is located and <username>:<password> are the username and password of an existing admin account on the deployment server.
  9. Restart the deployment server by running the following command: 
    \splunk restart
    10. .

Renew certificates in the Splunk Cloud Universal Forwarder credentials package

When Splunk issues new TLS certificates for your Splunk Cloud Platform deployment, it issues the new certificates in an updated version of the Splunk Cloud Universal Forwarder credentials package. To load the new certificates within the package, you must install the updated package.

After you download and install the package, you do not need to restart forwarders to reload the new certificates.

  1. Install the updated universal forwarder credentials package using the instructions that appear earlier in this topic.
  2. As the last step, rather than restarting the instance, reload the configuration by running the following command:
curl -i -u <username>:<password> https://<url of forwarder>:8089/services/data/outputs/tcp/default/_reload

If you want to reload the configuration without restarting on Windows machines, you must download and install the Windows version of the curl web transfer tool from the curl website. You can then follow the steps in this procedure.

Last modified on 21 March, 2024
PREVIOUS
Enable a receiver for Splunk Enterprise 		  NEXT
Configure the universal forwarder using configuration files

This documentation applies to the following versions of Splunk® Universal Forwarder: 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters