Files and directories - remote
The easiest way to get data from remote machines into Splunk Enterprise is with the universal forwarder. You set up the forwarder on the machine that generates the data and then point the forwarder at the Splunk Enterprise indexer. The forwarder gets the data and forwards the events to the indexer, which then processes and stores them and makes them available for searching.
There are two steps:
1. Set up the forwarder on the remote machine and point it at the indexer. See this recipe: "Forwarders".
2. Set up the forwarder inputs so that they monitor the data. This process is the same as if the data was on a Splunk indexer. However, the forwarder does not have Splunk Web, so you must set up the inputs either with the CLI or by editing
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0