Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Files and directories - remote

The easiest way to get your logs from remote machines into Splunk is with the universal forwarder. You set up the forwarder on the machine generating the logs and then point the forwarder at the Splunk indexer. The forwarder monitors the logs and forwards the events to the indexer, which then indexes them and makes them available for searching.

There are two main steps:

1. Set up the forwarder on the remote machine and point it at the indexer. See this recipe: "Forwarders".

2. Set up the forwarder's inputs so that they monitor the logs. You set up the inputs on the forwarder the same as if they were on a Splunk indexer. However, the forwarder has no Splunk Web, so you must set up the inputs either with the CLI or by editing inputs.conf directly.

For information on setting up inputs to monitor Unix logs, see "Monitor files and directories" in this manual. For additional information on how to set up forwarders, see "Use forwarders" in this manual.

PREVIOUS
Files and directories - local
  NEXT
Syslog - local

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters