Splunk® Enterprise

Forwarding Data

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure data collection on forwarders with inputs.conf

This topic discusses how to configure data inputs on a universal forwarder by editing the inputs.conf configuration file.

Universal forwarders can collect any type of data that a full Splunk Enterprise instance can. If you install the Windows universal forwarder, you can collect Windows Event Logs, performance metrics, Registry changes, and any other Windows data that a full instance can gather.

Universal forwarders can have apps and add-ons installed, and those apps and add-ons can collect data. The one difference is that a universal forwarder cannot display any data, as there is no Web interface to do so. There also is no interface to edit configuration files, so unless you install an app or add-on that has a configured inputs.conf file, you must configure that file yourself.

In nearly all cases, you must edit inputs.conf in the $SPLUNK_HOME/etc/system/local directory. If you have an app installed and want to make changes to its input configuration, edit $SPLUNK_HOME/etc/apps/<appname>/local/inputs.conf. For example, if you have the Splunk Add-on for Unix and Linux installed, you would make edits in $SPLUNK_HOME/etc/apps/TA_nix/local/inputs.conf.

Do not make changes to the inputs.conf in $SPLUNK_HOME/etc/system/default. When you upgrade, the installation overwrites that file, removing any changes you made.

Whenever you make a change to a configuration file, you must restart the forwarder for the change to take effect.

Edit inputs.conf

Editing inputs.conf on a universal forwarder is identical to editing inputs.conf on a full Splunk instance:

1. Using your operating system file management tools or a shell or command prompt, navigate to $SPLUNK_HOME/etc/system/local.

2. Open inputs.conf for editing. You might need to create this file if it does not exist.

3. Add your data inputs by specifying input stanzas. See "What Splunk Enterprise can index" and "Edit inputs.conf."

4. Once you have defined your inputs, save the file and close it.

5. Restart the forwarder.

6. On the receiving indexer, log in and load the Search and Reporting app.

7. Run a search and confirm that you see results from the forwarder that you set up the data inputs on:

host=<forwarder host name or ip address> source=<data source> earliest=1h

If you don't see any results, visit the Troubleshooting page for possible resolution.

Last modified on 27 January, 2016
Configure forwarders with outputs.conf
Supported CLI commands

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters