Important: You set up inputs on a forwarder the same way you set them up on a Splunk indexer. The only difference is that the forwarder does not include Splunk Web, so you must configure inputs with either the CLI or
inputs.conf. Before setting up the inputs, you need to deploy and configure the forwarder, as this recipe describes.
To use forwarders, specifically universal forwarders, for getting remote data, you need to set up a forwarder-receiver topology, as well as configure the data inputs:
1. Install the Splunk instances that will serve as receivers. See the Installation Manual for details.
2. Use Splunk Web or the CLI to enable receiving on the instances designated as receivers. See "Enable a receiver" in the Distributed Deployment Manual.
3. Install, configure, and deploy the forwarders. Depending on your forwarding needs, there are a number of best practices deployment scenarios. See "Universal forwarder deployment overview" in the Distributed Deployment Manual for details. Some of these scenarios allow you to configure the forwarder during the installation process.
4. Specify data inputs for each universal forwarder, if you have not already done so during installation. You do this the same way you would for any Splunk instance. As a starting point, see "What Splunk can index" in this manual for guidance on configuring the different types of data inputs.
Note: Since the universal forwarder does not include Splunk Web, you must configure inputs through either the CLI or
inputs.conf; you cannot configure with Splunk Web.
5. Specify the fowarders' output configurations, if you have not already done so during installation. You do this through the CLI or by editing the
outputs.conf file. You get the greatest flexibility by editing
outputs.conf. For details, see the Distributed Deployment Manual, including "Configure forwarders with outputs.conf".
6. Test the results to confirm that forwarding, along with any configured behaviors like load balancing or filtering, is occurring as expected. Go to the receiver to search the resulting data.
Find more things to monitor with crawl
Files and directories - local
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18