Configure the universal forwarder
This topic discusses how to configure the universal forwarder.
General configuration issues
Because the universal forwarder has no Splunk Web GUI, you must perform all configuration either during the installation (on Windows systems only) or later, as a separate step. To perform post-installation configuration, you can use the CLI, modify the configuration files directly, or use a deployment server.
Where (and where not) to configure
Key configuration files include:
When you make configuration changes with the CLI, the universal forwarder writes the changes to configuration files in the search app (except for changes to
outputs.conf, which it writes to a file in
$SPLUNK_HOME/etc/system/local/). The search app is the default app for the universal forwarder, even though you cannot actually use the universal forwarder to perform searches. If this seems odd, it is.
Note: The Windows installation process writes configuration changes to an app called "MSICreated", not to the search app.
The universal forwarder also ships with a SplunkUniversalForwarder app, which must be enabled. (This happens automatically.) This app includes preconfigured settings that enable the universal forwarder to run in a streamlined mode. No configuration changes get written there. We recommend that you do not make any changes or additions to that app.
Learn more about configuration
Refer to these topics for some important information:
- "About configuration files" and "Configuration file precedence" in the Admin manual, for details on how configuration files work.
- "Configure forwarders with outputs.conf", for information on
- The topics in the "Use the forwarder to create deployment topologies" section, for information on configuring outputs with the CLI.
- "Configure your inputs" in the Getting Data In manual, for details on configuring data inputs with
inputs.confor the CLI.
Deploy configuration updates
Use the following methods for deploying configuration updates across your set of universal forwarders:
- Edit or copy the configuration files for each universal forwarder manually (This is only useful for small deployments.)
- Use the Splunk deployment server to push configured apps to your set of universal forwarders.
- Use your own deployment tools to push configuration changes.
Restart the universal forwarder
Some configuration changes might require that you restart the forwarder. (The topics covering specific configuration changes will let you know if a change does require a restart.)
To restart the universal forwarder, use the same CLI
restart command that you use to restart a full Splunk Enterprise instance:
- On Windows: Go to
%SPLUNK_HOME%\binand run this command:
> splunk restart
- On *nix systems: From a shell prompt on the host, run this command:
# splunk restart
Migrate a *nix light forwarder
Configure forwarders with outputs.conf
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0