Supported CLI commands
The universal forwarder supports a subset of objects for use in CLI commands. Certain objects valid in full Splunk Enterprise, like
index (as in
add index), make no sense in the context of the universal forwarder.
Commands act upon objects. If you type an invalid command/object combination, the universal forwarder will return an error message.
Valid CLI objects
The universal forwarder supports all CLI commands for these objects:
add app config datastore-dir default-hostname deploy-client deploy-poll eventlog exec forward-server monitor oneshot perfmon registry servername splunkd-port tcp udp user wmi
Note: A few commands, such as
stop can be run without an object. A command with no object is also valid for the universal forwarder.
A brief introduction to CLI syntax
The general syntax for a CLI command is:
./splunk <command> [<object>] [[-<parameter>] <value>]...
As described above, it's the object that determines whether a command is valid in the universal forwarder. For example, the above list includes the
monitor object. Therefore, the
add monitor and
edit monitor command/object combinations are both valid. For more information on the
monitor object, see "Use the CLI to monitor files and directories" in the Getting Data In manual.
For more details on using the CLI in general, see the "Administer Splunk Enterprise with the CLI" chapter in the Admin manual. In particular, the topic "CLI admin commands" provides details on CLI syntax, including a list of all commands supported by full Splunk Enterprise and the objects they can act upon.
Configure data collection on forwarders with inputs.conf
Enable forwarding on a Splunk Enterprise instance
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0