Install a universal forwarder on each Windows host
This topic details installing and configuring a universal forwarder on the Windows host in your environment. This is the first step toward getting data into the indexer that you set up earlier.
What is a universal forwarder?
The universal forwarder is a version of Splunk Enterprise whose only purpose is to collect data from a host and send it somewhere. Unlike full Splunk Enterprise, the universal forwarder has extremely limited capability to transform or change the data it collects in any way. This allows for fast collection and dispatching of data with little impact on system and network resources.
In this application, you install universal forwarder on a Windows host to collect the data it contains. You then forward this data to the Splunk indexer, which indexes and stores the data and makes it available for the Splunk App for Windows Infrastructure.
Install universal forwarder
In order to begin the data collection and forwarding process, you must install a universal forwarder on every Windows host that you want data from.
1. Confirm that your Windows host meets the minimum system requirements for a Splunk universal forwarder installation.
2. Download the appropriate universal forwarder for your version of Windows.
3. Install the universal forwarder onto the Windows host. During the installation process, follow these prompts:
- In the first dialog, check the box to accept the license agreement.
- Click Customize Options to customize the installation options.
- Click Next to advance through the "Destination Folder" dialog.
- Click Next to advance through the "Certificate Information" dialog.
- In the "User selection" dialog, make sure "Local System" is selected and click Next
- In the "Enable Windows inputs" dialog, make sure no inputs have been enabled and click Next.
- In the "Specify a Deployment Server" dialog, enter the host name or IP address of the deployment server you just set up in the "Hostname or IP" field and enter "8089" in the second field. Then click Next.
- Click Next to advance through the "Receiving Indexer" dialog.
- Click Install to accept these configurations and install the universal forwarder.
4. After installation completes, confirm that the universal forwarder service runs.
- You can check the
splunkforwarderservice in the Services control panel, or
- You can check if the service runs from a PowerShell window (by going to the
%SPLUNK_HOME%\bindirectory and typing in
You have installed and configured a universal forwarder on at least one Windows machine. Next, you will confirm that deployment server sees the forwarder and add the forwarder to the server class you defined earlier.
Set up a deployment server and create a server class
Add the universal forwarder to the server class
This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.3.0, 1.4.0