Splunk® Enterprise

Forwarding Data

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Deploy a *nix universal forwarder manually

This topic describes how to install the universal forwarder software on a *nix host, such as Linux or Solaris. It assumes that you plan to install directly onto the host, rather than use a deployment tool. This type of deployment best suits these needs:

  • Small deployments.
  • Proof-of-concept test deployments.
  • System image or virtual machine for eventual cloning.

Before following the procedures in this topic, see "Universal forwarder deployment overview".

Steps to deployment

Once you have downloaded the universal forwarder and have planned your deployment, perform these steps:

1. Install the universal forwarder.

2. Configure (and optionally migrate) the universal forwarder.

3. Test the deployment.

4. Perform any additional configuration.

5. Deploy the universal forwarder across your environment.

Install the universal forwarder

The universal forwarder installation package is available for download from splunk.com.

You can install the universal forwarder on a *nix host with a package or a tar file. To install the universal forwarder on any of the supported *nix operating systems, see the installation topic for installing a full Splunk Enterprise instance in the Installation Manual:

Sun SPARC systems that run Solaris require a minimum patch level to install a universal forwarder

If you plan to install a universal forwarder on a Sun SPARC system that runs Solaris, confirm that you have patch level SUNW_1.22.7 or later of the C library (libc.so.1). If you do not, the universal forwarder cannot run because it needs this version of the library.

Installation procedure

You install the universal forwarder the same way that you install a full Splunk Enterprise instance, as documented in these topics in the Installation manual. There are only two differences:

  • The package name.
  • The default installation directory.

The package name

When you install a package, substitute the name of the universal forwarder package for the full Splunk Enterprise package name used in the commands in the Installation manual.

For example, if installing the universal forwarder onto Red Hat Linux, use this command:

rpm -i splunkforwarder_<package_name>.rpm

instead of this command for a full Splunk Enterprise instance:

rpm -i splunk_<package_name>.rpm

The only difference is the prefix to the package name: "splunkforwarder", instead of "splunk".

The default install directory

The universal forwarder installs by default in the /opt/splunkforwarder directory. (The default installation directory for full Splunk is /opt/splunk.)

Important: Do not install the universal forwarder over an existing installation of full Splunk Enterprise. This is particuarly vital if you plan to migrate from a light forwarder as described in "Migrate a nix light forwarder".

Configure the universal forwarder

The universal forwarder can run as any user on the local system. If you run the universal forwarder as a non-root user, make sure that it has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk as a non-root user for more information.

As part of configuration, you can migrate checkpoint settings from an existing forwarder to the universal forwarder. See "Migrate from a light forwarder".

Use the CLI to start and configure your universal forwarders.

Start the universal forwarder

Important: If you want to migrate from an existing forwarder, you must perform a specific set of actions before you start the universal forwarder for the first time. See "Migrate a nix forwarder" for details.

To start the universal forwarder, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed the universal forwarder):

splunk start

Accept the license agreement automatically

The first time you start the universal forwarder after a new installation, you must accept the license agreement. To start the universal forwarder and accept the license in one step:

splunk start --accept-license

Note: There are two dashes before the accept-license option.

Configuration steps

After you start the universal forwarder and accept the license agreement, follow these steps to configure it:

1. Configure universal forwarder to auto-start:

splunk enable boot-start

2. Configure universal forwarder to act as a deployment client (optional). To do this, just specify the deployment server:

      splunk set deploy-poll <host>:<port>


  • <host> is the deployment server's hostname or IP address and <port> is the port it's listening on.

This step also automatically enables the deployment client functionality.

3. Configure the universal forwarder to forward to a specific receiving indexer, also known as the "receiver" (optional):

splunk add forward-server <host>:<port> -auth <username>:<password>


  • <host> is the receiving indexer's hostname or IP address and <port> is the port it's listening on. By convention, the receiver listens for forwarders on port 9997, but it can be set to listen on any port, so you'll need to check with the receiver's administrator to obtain the port number. For information on setting up a receiver, see "Enable a receiver".
  • <username>:<password> is the username and password for logging into the forwarder. By default, these are "admin:changeme" (To set a different password than the default , issue the following command "splunk edit user admin -password <new password> -role admin -auth admin:changeme").

During this step, you can also configure a certificate for secure intra-Splunk communications, using a set of optional ssl flags to specify a certificate, root CA, and password. For example:

splunk add forward-server <host>:<port> -ssl-cert-path /path/ssl.crt -ssl-root-ca-path /path/ca.crt -ssl-password <password>

Note: If you do not specify a receiving indexer, be sure to configure universal forwarder to act as a deployment client, as described in step 2, so that it can later be configured for a receiving indexer.

4. To configure the universal forwarder's inputs, use the CLI add command or edit inputs.conf. See "About the CLI" and subsequent topics for details on using the CLI.

For a complete list of CLI commands supported in the universal forwarder, see "Supported CLI commands".

Test the deployment

Test your configured universal forwarder on a single machine, to make sure it functions correctly, before deploying the universal forwarder across your environment. Confirm that the universal forwarder is getting the desired inputs and sending the right outputs to the indexer.

If you migrated from an existing forwarder, confirm that the universal forwarder sends data from where the old forwarder left off. If it doesn't, modify or add data inputs, so that they conform to those on the old forwarder. Examine the two inputs.conf files to ensure that the new universal forwarder has all the inputs that you want to maintain.

If you migrated from an existing forwarder, you can delete that old instance once you have tested the universal forwarder and you're comfortable with the results.

See "Troubleshoot your deployment" for troubleshooting tips.

Perform additional configuration

In addition to using the CLI, you can update the universal forwarder configuration by editing its configuration files, such as inputs.conf and outputs.conf, directly. See "Configure the universal forwarder" for information.

For information on distributing configuration changes across multiple universal forwarders, see "About deployment server" in the Updating Splunk Enterprise Instances manual.

Deploy the universal forwarder across your environment

If you need just a few universal forwarders, you might find it simpler just to repeat the installation process manually, as documented in this topic. If you need to install a larger number of universal forwarders, however, it will probably be easier to deploy them remotely (using scripting or a deployment tool) or as part of a system image or virtual machine.

Troubleshoot your deployment

The universal forwarder forwards some internal logs to the receiving indexer. These are:


The logs can be searched on the indexer for errors (index=_internal host=<ua-machine>).

If the universal forwarder is malfunctioning such that it cannot forward the logs, use a text editor or the grep utility to examine them on the universal forwarder itself.

Last modified on 06 August, 2015
Remotely deploy a Windows universal forwarder with a static configuration
Remotely deploy a *nix universal forwarder with a static configuration

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters