Configure the universal forwarder using configuration files
Optionally edit the Universal forwarder configuration files to further modify how your machine data is streamed to your indexers. See the following steps:
- Find the configuration files.
- Edit the configuration files.
- Restart the universal forwarder.
Find the configuration files
Navigate to outputs.conf in $SPLUNK_HOME/etc/system/local/ to locate your Universal Forwarder configuration files.
Key configuration files:
- inputs.conf controls how the forwarder collects data.
- outputs.conf controls how the forwarder sends data to an indexer or other forwarder.
- server.conf for connection and performance tuning.
- deploymentclient.conf for connecting to a deployment server.
Edit the configuration files
You can edit them however you normally edit files, such as through a text editor or the command line, or you can use the Splunk Deployment Server.
When you make configuration changes with the CLI, the universal forwarder writes the configuration files. This prevents typos and other mistakes that can occur when you edit configuration files directly.
The forwarder writes configurations for forwarding data to outputs.conf in $SPLUNK_HOME/etc/system/local/).
Edit the configuration files through the command line
You can choose to edit the configuration files through the command line. For more details on using the CLI in general, see Administer Splunk Enterprise with the CLI in the Splunk Enterprise Admin Manual.
The general syntax for a CLI command is:
./splunk <command> [<object>] [[-<parameter>] <value>]...
See the following examples of using the command line to edit configuration files:
Configure the universal forwarder to connect to a receiving indexer
From a shell or command prompt on the forwarder, run the command:
./splunk add forward-server <host name or ip address>:<listening port>
For example, to connect to the receiving indexer with the hostname idx.mycompany.com and that host listens on port 9997 for forwarders, type in:
./splunk add forward-server idx1.mycompany.com:9997
Configure the universal forwarder to connect to a deployment server
From a shell or command prompt on the forwarder, run the command:
./splunk set deploy-poll <host name or ip address>:<management port>
For example, if you want to connect to the deployment server with the hostname ds1.mycompany.com on the default management port of 8089, type in:
./splunk set deploy-poll ds1.mycompany.com:8089
Configure a data input on the forwarder
The Splunk Enterprise Getting Data In manual has information on what data a universal forwarder can collect.
1. Determine what data you want to collect.
2. From a shell or command prompt on the forwarder, run the command that enables that data input. For example, to monitor the /var/log directory on the host with the universal forwarder installed, type in:
./splunk add monitor /var/log
The forwarder asks you to authenticate and begins monitoring the specified directory immediately after you log in.
| Enable a receiver for the Splunk Cloud Platform | Start or stop the universal forwarder |
This documentation applies to the following versions of Splunk® Universal Forwarder: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Download manual
Feedback submitted, thanks!