Forward data to Splunk Cloud from MacOS
To get data into Splunk Cloud, log into your Splunk Cloud deployment and perform the following steps:
- Download the Splunk Universal Forwarder installer for MacOS.
- Install the universal forwarder.
- Download and install the universal forwarder credentials.
- Enable forwarder management in Splunk Web. (Self-service Splunk Cloud deployments only.)
- Configure data inputs, which specify the data to be collected and forwarded.
The following detailed procedure tells you how to install and configure the universal forwarder on a Macintosh OS X machine.
Log into your Splunk Cloud deployment
The way you log in depends on whether your Splunk Cloud deployment is managed or self-service (for details, see Types of Splunk Cloud Deployment.)
Logging into a self-service Splunk Cloud deployment
- In your web browser, go to www.splunk.com.
- Click My Account.
- Click Log In.
- On the Log In page, enter the user name and password provided in your "Welcome" email.
- Choose My Account > Instances and click Access Instance. The Splunk Cloud user interface displays.
Logging into a managed Splunk Cloud deployment
- In your web browser, go to the URL specified for your deployment. (Your company selected this URL as part of the process of buying Splunk Cloud.)
- Enter the username and password specified in your Welcome email provided to you by your Splunk administrator.
Step 1: Download the universal forwarder
From the Splunk Cloud Home page:
- In the left sidebar, click Universal Forwarder.
- On the splunkclouduf Home page, click Download Universal Forwarder.
- On the Download Splunk Universal Forwarder page, choose your Macintosh platform.
- When prompted, click Save File and click OK to download the installer as a dmg file. By default, the file is saved in the Downloads directory.
Step 2: Install the universal forwarder
Install the universal forwarder on the computer that contains or has access to the data that you want to collect and forward to Splunk Cloud. If you want to install the universal forwarder on a different computer, copy the universal forwarder installer file to that machine and continue with the steps below.
To install the universal forwarder on a MacOS machine:
- To launch the installer, double-click the dmg file.
- Double-click the Install Splunk Universal Forwarder icon. The Introduction dialog displays, indicating the version and copyright information.
- Click Continue.
- Read the Software License Agreement and click Continue.
- Click Agree to confirm you accept the software license agreement and to continue with the installation. The Installation Type dialog displays, showing a pre-installation summary.
- Click Install.
- Confirm you want to install new software.
- Enter your Username and Password for the machine you are installing the universal forwarder on, and click Install Software. The installation completes and indicates the installation was successful.
- Click Close.
- When prompted, click OK to continue. The installation starts and might take a few minutes to complete.
- When prompted, click Start Splunk.
- Click OK to acknowledge the universal forwarder is installed and started.
Step 3: Download and install the universal forwarder credentials
To enable the forwarder to send data to Splunk Cloud, you must download the universal forwarder credentials file, which contains a custom certificate for your Splunk Cloud deployment. The universal forwarder credentials are different from the credentials that you use to log into Splunk Cloud.
When you install the credentials file into the universal forwarder, note that the default username and password for a first-time installation of the universal forwarder is admin:changeme. To change the admin password, run the edit user command. For example (assuming you have added the path to the
splunk executable to your PATH environment variable):
splunk edit user admin -password mynewpassword -auth admin:changeme
To install your universal forwarder credentials from the Splunk Cloud Home page:
- In the left sidebar, click Universal Forwarder.
- On the Universal Forwarder page, click Download Universal Forwarder Credentials to download the
- When prompted, click Save File and click OK. By default, the
splunkclouduf.splfile is downloaded to the Downloads directory. If downloaded to a different location, make note of the location.
- Open a terminal window. (To locate the Terminal application, launch Finder and navigate to Applications > Utilities > Terminal.)
- In the Terminal window, run the following command:
/Applications/SplunkForwarder/bin/splunk install app <full path to splunkclouduf.spl> -auth <username>:<password>where <full path to splunkclouduf.spl> is the path to the directory where the
splunkclouduf.splfile is located and <username>:<password> are the username and password of an existing admin account on the universal forwarder. The default is admin:change. For example,
/Applications/SplunkForwarder/bin/splunk install app /Users/johnsmith/Downloads/splunkclouduf.spl -auth admin:changeme
- To restart the universal forwarder, run the following command:
Step 4: Enable forwarder management in Splunk Web
You can configure a self-service Splunk Cloud instance as a deployment server that distributes updates to forwarders using Splunk Web. To specify the deployment server host name for self-service deployments, use the URL of your Splunk Cloud instance, omitting the leading "https://" and preceding the URL with "input-". Example:
/Applications/SplunkForwarder/bin/splunk set deploy-poll input-prd-p-gxxnh2qlt7cx.cloud.splunk.com:8089 (The default management port is 8089. )
If your Splunk Cloud deployment is a managed deployment and you want to use Splunk Web to manage forwarders, you must run a deployment server on premises, because managed Splunk Cloud deployments do not include a deployment server. When configuring deployment clients for an on-premises deployment server, specify the hostname and port on which you are running the deployment server. For details about setting up deployment servers, see About deployment server and forwarder management.
To register the universal forwarder as a deployment client, run the following commands:
./Applications/SplunkForwarder/bin/splunk set deploy-poll <deployment server hostname>:<mgmtPort>.
Step 5: Configure data inputs
To specify the data to be forwarded to Splunk Cloud, perform the following steps.
The steps in this section apply to self-service deployments.
- In the Splunk Cloud user interface, click Settings in the top menu bar.
- In the Settings view, under Data on the right of the screen, click the Add Data button.
- On the Add Data view, click Forward.
- Next to Select Server Class, click New.
- Under Available host(s), click one or more forwarder hosts to add to the Selected host(s) box.
- In the New Server Class Name field, enter a name for the new server class.
- Click Next near the top of the screen.
- Select the type of data for the universal forwarder to collect. For this example choose Files & Directories
- Enter the name of a file or directory containing data that you want to forward to Splunk Cloud. For example,
- Click Next.
- In the Input Settings view, next to Source type, click Automatic.
- Click Review and verify your settings are correct.
- Click Submit.
- To display the data that was forwarded, click Start Searching.
For more information about adding data, see Configure the universal forwarder in the Splunk Enterprise Forwarder Manual.
Forward data to Splunk Cloud from Linux
Forward data from files and directories to Splunk Cloud
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.0.0, 7.0.2, 7.0.3, 7.0.5, 7.0.8, 7.1.3, 7.1.6, 7.2.3, 7.2.4, 7.2.6