Splunk® Universal Forwarder

Forwarder Manual

Start or stop the universal forwarder

After you install the universal forwarder, you must start it. Also, if you make changes to the universal forwarder, you must start or restart it:

Restart the universal forwarder

Some configuration changes might require that you restart the forwarder.

To restart the universal forwarder, use the same CLI restart command that you use to restart a full Splunk Enterprise instance:

  • On Windows: Go to %SPLUNK_HOME%\bin and run this command:
       splunk restart 
  • On *nix systems: From a shell prompt on the host, go to $SPLUNK_HOME/bin, and run this command:
      ./splunk restart 

Start the universal forwarder

See the following steps to start the universal forwarder:

  1. Set up environment variables on your machine, which are necessary to run these commands. It is possible these variables have automatically been set up. See Change default values in the Admin Manual.
  2. Run the following commands to start the universal forwarder at any time. If this is your first time starting the forwarder, you may be asked to review and accept a license agreement and create a username and password,
    • To start the universal forwarder, run this command.
      Unix Windows
      cd $SPLUNK_HOME/bin
      ./splunk start
      cd %SPLUNK_HOME%\bin
      .\splunk start
    • If you want to accept the license agreement without reviewing it when you start the forwarder for the first time, run this command.
      Unix Windows
      cd $SPLUNK_HOME/bin
      ./splunk start --accept-license
      cd %SPLUNK_HOME%\bin
      .\splunk start --accept-license
    • If you want to restart the forwarder after you make a configuration change, run this command. When you do, the forwarder first stops itself, then starts itself again.
      Unix Windows
      cd $SPLUNK_HOME/bin
      ./splunk restart
      cd %SPLUNK_HOME%\bin
      .\splunk restart
  3. Additionally, you can configure the universal forwarder to start at boot time. See Configure Splunk Enterprise to start at boot time for the procedure.

The universal forwarder prompts for administrator credentials the first time you start it

When you start the forwarder for the first time under most conditions, it prompts you to create credentials for the Splunk administrator user. The following text appears:

    This appears to be your first time running this version of Splunk.
    Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
    Create credentials for the administrator account.
    Characters do not appear on the screen when you type in credentials.
    Please enter an administrator username:
  1. Type in the name you want to use for the administrator user. This is the user that you log into the universal forwarder with, not the user that you use to log into your machine or onto splunk.com. You can press Enter to use the default username of admin.
    The following text appears:
    Password must contain at least:
    * 8 total printable ASCII character(s).
    Please enter a new password:
  2. Type in the password that you want to assign to the user. The password must meet the requirements that the prompt displays.

See Create a secure administrator password in Securing Splunk for additional information about creating a secure password.

Start Splunk Enterprise without prompting, or by answering "yes" to any prompts

There are two other start options: no-prompt and answer-yes.

  • If you run $SPLUNK_HOME/bin/splunk start --no-prompt, Splunk Enterprise proceeds with startup until it has to ask a question. Then, it displays the question and why it has to quit, and quits. In this scenario, it does not prompt for administrator credentials. You must manually create the credentials and restart before you can log in. See "Create administrator credentials manually" later in this topic for the procedure.
  • If you run SPLUNK_HOME/bin/splunk start --answer-yes, Splunk Enterprise proceeds with startup and automatically answers "yes" to all yes/no questions that it encounters during startup. It displays each question and answer as it continues.

If you run start Splunk Enterprise with all three options in one line, the following happens:

  • The software accepts the license automatically and does not ask you to accept it.
  • The software answers "yes" to any "yes/no" question.
  • The software quits if it encounters a question that cannot be answered "yes" or "no".

Stop the universal forwarder

You must stop the universal forwarder if you do not want it to forward data any more, or as part of a restart sequence when you make a configuration change that requires a restart.

The following commands use environment variables that might not be automatically set on your host. The environment variables represent where the universal forwarder has been installed on the host. To learn how to set these environment variables, see Change default values in the Admin Manual.

  • Run the following commands to stop the universal forwarder.
    Unix Windows
    cd $SPLUNK_HOME/bin
    ./splunk stop
    cd %SPLUNK_HOME%\bin
    .\splunk stop
  • Last modified on 10 August, 2023
    Configure the universal forwarder using configuration files   Configure an intermediate forwarder

    This documentation applies to the following versions of Splunk® Universal Forwarder: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2

    Was this topic useful?

    You must be logged into splunk.com in order to post comments. Log in now.

    Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

    0 out of 1000 Characters