Configure data collection on forwarders with inputs.conf
This topic discusses how to configure data inputs on a universal forwarder by editing the inputs.conf configuration file.
Universal forwarders can collect any type of data that a full Splunk Enterprise instance can. If you install the Windows universal forwarder, you can collect Windows Event Logs, performance metrics, Registry changes, and any other Windows data that a full instance can gather.
Universal forwarders can have apps and add-ons installed, and those apps and add-ons can collect data. The one difference is that a universal forwarder cannot display any data, as there is no Web interface to do so. There also is no interface to edit configuration files, so unless you install an app or add-on that has a configured
inputs.conf file, you must configure that file yourself.
In nearly all cases, you must edit
inputs.conf in the
$SPLUNK_HOME/etc/system/local directory. If you have an app installed and want to make changes to its input configuration, edit
$SPLUNK_HOME/etc/apps/<appname>/local/inputs.conf. For example, if you have the Splunk Add-on for Unix and Linux installed, you would make edits in
Do not make changes to the inputs.conf in
$SPLUNK_HOME/etc/system/default. When you upgrade, the installation overwrites that file, removing any changes you made.
Whenever you make a change to a configuration file, you must restart the forwarder for the change to take effect.
Editing inputs.conf on a universal forwarder is identical to editing inputs.conf on a full Splunk instance:
1. Using your operating system file management tools or a shell or command prompt, navigate to
inputs.conf for editing. You might need to create this file if it does not exist.
4. Once you have defined your inputs, save the file and close it.
5. Restart the forwarder.
6. On the receiving indexer, log in and load the Search and Reporting app.
7. Run a search and confirm that you see results from the forwarder that you set up the data inputs on:
host=<forwarder host name or ip address> source=<data source> earliest=1h
If you don't see any results, visit the Troubleshooting page for possible resolution.
Configure forwarders with outputs.conf
Supported CLI commands
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14