Install a universal forwarder on each Windows host
Installing and configuring a universal forwarder on each Windows host in your environment is the first step toward getting data into the indexer that you set up earlier.
What is universal forwarder?
The universal forwarder is a version of Splunk Enterprise whose only purpose is to collect data from a host and send it somewhere else. Unlike full Splunk Enterprise, the universal forwarder has extremely limited capability to transform or change the data it collects in any way. This allows for fast collection and dispatching of data with little impact on system and network resources.
In this application, you install universal forwarder on a Windows host to collect the data it contains. You then forward this data to the Splunk indexer, which indexes and stores the data and makes it available for the Splunk App for Microsoft Exchange.
Install universal forwarder
In order to begin the data collection and forwarding process, you must install a universal forwarder on every Windows host that you to send data.
As Microsoft Exchange runs only on Windows, you can only install Windows universal forwarders.
For detailed procedures on installing a universal forwarder on a Windows host, see Install the universal forwarder onto the Windows host in the Universal Forwarder manual.
- Confirm that your Windows host meets the minimum requirements for a Splunk universal forwarder installation. See System requirements in the Universal Forwarder manual.
- Download the appropriate universal forwarder for your version of Windows.
- Double-click the universal forwarder installer to run it.
- In the first universal forwarder installer dialog box, check the box to accept the license agreement.
- Click Customize Options to customize the installation options.
- Click Next to advance through the "Destination Folder" dialog.
- Click Next to advance through the "Certificate Information" dialog.
- In the "User selection" dialog, make sure "Local System" is selected and click Next
- In the "Enable Windows inputs" dialog, make sure no inputs have been enabled (all must be disabled) and click Next.
- In the "Specify a Deployment Server" dialog, enter the host name or IP address of the deployment server you just set up in the "Hostname or IP" field and enter "8089" in the second field. Then click Next.
- Click Next to advance through the "Receiving Indexer" dialog.
- Click Install to accept these configurations and install the universal forwarder.
- After installation completes, confirm that the universal forwarder service runs.
You can check the
splunkforwarder service in the Services control panel or use a PowerShell window (by going to the
%SPLUNK_HOME%\bin directory and typing in
You have installed and configured a universal forwarder on at least one Windows machine. Next, you will confirm that deployment server sees the forwarder and add the forwarder to the server class you defined earlier.
Set up a deployment server and create a server class
Add the universal forwarder to the server class
This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 3.4.1