Splunk® Universal Forwarder

Forwarder Manual

Consolidate data from multiple hosts

One of the most common forwarding use cases is to consolidate data that originates across numerous machines. Forwarders located on the machines send the data to a central Splunk deployment. This diagram illustrates a common scenario, where universal forwarders residing on machines running diverse operating systems send data to a single Splunk instance, which indexes and provides search capabilities across all the data.

30 admin13 forwardreceive-dataforward 60.png

The diagram illustrates a small deployment. In practice, the number of universal forwarders in a data consolidation use case could number into the thousands.

1. Determine the data and machines you need to access.

2. Install a Splunk instance on a host.

This instance functions as the receiver. Data goes there to be indexed and searched.

3. Using the CLI, enter this command from $SPLUNK_HOME/bin/: 

./splunk enable listen <port> -auth <username>:<password>
  • <port> is the network port you want the receiver to listen on.

4. Install universal forwarders on each machine that will generate data.

5. Configure inputs for each forwarder.

To learn what Splunk software can index and how to configure inputs, see What data can I index? in Getting Data In.

6. Configure each universal forwarder to send data to the receiver. For Windows forwarders, you can do this at installation time or through the CLI after installation. For *nix forwarders, you must do this through the CLI. 

./splunk add forward-server <host>:<port> -auth <username>:<password>
  • <host>:<port> are the host and receiver port number of the receiver. For example, splunk_indexer.acme.com:9997.

Alternatively, if you have many forwarders, you can use an outputs.conf file to specify the receiver. For example: 

[tcpout:my_indexers]
server= splunk_indexer.acme.com:9997

You can create this file once and distribute copies of it to each forwarder.

Last modified on 28 June, 2022
Configure forwarding with outputs.conf   How to forward data to Splunk Cloud Platform

This documentation applies to the following versions of Splunk® Universal Forwarder: 8.2.3.1, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters