Splunk® Enterprise

Forwarding Data

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure the universal forwarder

This topic discusses how to configure the universal forwarder.

General configuration issues

Because the universal forwarder has no Splunk Web GUI, you must perform all configuration either during the installation (on Windows systems only) or later, as a separate step. To perform post-installation configuration, you can use the CLI, modify the configuration files directly, or use a deployment server.

Where (and where not) to configure

Key configuration files include:

Others include:

When you make configuration changes with the CLI, the universal forwarder writes the changes to configuration files in the search app (except for changes to outputs.conf, which it writes to a file in $SPLUNK_HOME/etc/system/local/). The search app is the default app for the universal forwarder, even though you cannot actually use the universal forwarder to perform searches. If this seems odd, it is.

Note: The Windows installation process writes configuration changes to an app called "MSICreated", not to the search app.

The universal forwarder also ships with a SplunkUniversalForwarder app, which must be enabled. (This happens automatically.) This app includes preconfigured settings that enable the universal forwarder to run in a streamlined mode. No configuration changes get written there. We recommend that you do not make any changes or additions to that app.

Learn more about configuration

Refer to these topics for some important information:

Deploy configuration updates

Use the following methods for deploying configuration updates across your set of universal forwarders:

  • Edit or copy the configuration files for each universal forwarder manually (This is only useful for small deployments.)
  • Use the Splunk deployment server to push configured apps to your set of universal forwarders.
  • Use your own deployment tools to push configuration changes.

Restart the universal forwarder

Some configuration changes might require that you restart the forwarder. (The topics covering specific configuration changes will let you know if a change does require a restart.)

To restart the universal forwarder, use the same CLI restart command that you use to restart a full Splunk Enterprise instance:

  • On Windows: Go to %SPLUNK_HOME%\bin and run this command:
       > splunk restart 
  • On *nix systems: From a shell prompt on the host, run this command:
       # splunk restart
PREVIOUS
Migrate a *nix light forwarder
  NEXT
Configure forwarders with outputs.conf

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters