Splunk Cloud

Splunk Cloud User Manual

Download manual as PDF

Download topic as PDF

Forward data to Splunk Cloud from Linux

To get data into Splunk Cloud, log into your Splunk Cloud deployment and perform the following steps:

  1. Download the Splunk Universal Forwarder for Linux.
  2. Install the Splunk Universal Forwarder for Linux.
  3. Download and install the universal forwarder credentials.
  4. Enable forwarder management in Splunk Web. (Self-service Splunk Cloud deployments only.)
  5. Configure data inputs, which specify the data to be collected and forwarded.

The following detailed procedure tells you how to install and configure the universal forwarder on a Linux machine.

Log into your Splunk Cloud deployment

The way you log in depends on whether your Splunk Cloud deployment is managed or self-service (for details, see Types of Splunk Cloud Deployment.)

Logging into a self-service Splunk Cloud deployment

  1. In your web browser, go to www.splunk.com.
  2. Click My Account.
  3. Click Log In.
  4. On the Log In page, enter the user name and password provided in your "Welcome" email.
  5. Choose My Account > Instances and click Access Instance. The Splunk Cloud user interface displays.

Logging into a managed Splunk Cloud deployment

  1. In your web browser, go to the URL specified for your deployment. (Your company selected this URL as part of the process of buying Splunk Cloud.)
  2. Enter the username and password specified in your Welcome email provided to you by your Splunk administrator.

Step 1: Download the universal forwarder

From the Splunk Cloud Home page:

  1. In the left sidebar, click Universal Forwarder.
  2. On the splunkclouduf Home page, click Download Universal Forwarder.
  3. On the Download Splunk Universal Forwarder page, click the Linux and choose your Linux platform.
  4. When prompted, click Save File and click OK to download the installer as a compressed archive (.tgz file).

Step 2: Install the universal forwarder

Install the universal forwarder on the computer that contains or has access to the data that you want to collect and forward to Splunk Cloud. If you want to install the universal forwarder on a different computer, copy the universal forwarder package file to that machine and continue with the steps below.

To install the universal forwarder on a Linux machine:

  1. Navigate to the directory where you want to install the universal forwarder.
  2. Issue the following command:
    tar xvzf <downloadfile>.tgz

Step 3: Download and install the universal forwarder credentials

To enable the forwarder to send data to Splunk Cloud, you must download the universal forwarder credentials file, which contains a custom certificate for your Splunk Cloud deployment. The universal forwarder credentials are different from the credentials that you use to log into Splunk Cloud.

When you install the credentials file into the universal forwarder, note that the default username and password for a first-time installation of the universal forwarder is admin:changeme. To change the admin password, run the edit user command. For example: splunk edit user admin -password mynewpassword -auth admin:changeme.

To install your universal forwarder credentials from the Splunk Cloud Home page:

  1. In the left sidebar, click Universal Forwarder.
  2. On the splunkclouduf Home page, click Download Universal Forwarder Credentials to download the splunkclouduf.spl file.
  3. When prompted, click Save File and click OK. By default, the splunkclouduf.spl file is downloaded to the Downloads directory. If downloaded to a different location, make note of the location.
  4. Open a command prompt window.
  5. Navigate to the /bin subdirectory of the directory where you installed the universal forwarder.
  6. Run the following command: splunk install app <full path to splunkclouduf.spl> -auth <username>:<password> where <full path to splunkclouduf.spl> is the path to the directory where the splunkclouduf.spl file is located and <username>:<password> are the username and password of an existing admin account on the universal forwarder. The default is admin:changeme. For example splunk install app /Users/johnsmith/Downloads/splunkclouduf.spl -auth admin:changeme
  7. To restart the universal forwarder, run the following command: /splunk restart.

Step 4: Enable forwarder management in Splunk Web

You can configure a self-service Splunk Cloud instance as a deployment server that distributes updates to forwarders using Splunk Web. To specify the deployment server host name for self-service deployments, use the URL of your Splunk Cloud instance, omitting the leading "https://" and preceding the URL with "input-". Example: /Applications/SplunkForwarder/bin/splunk set deploy-poll input-prd-p-gxxnh2qlt7cx.cloud.splunk.com:8089 (The default management port is 8089.)

If your Splunk Cloud deployment is a managed deployment and you want to use Splunk Web to manage forwarders, you must run a deployment server on premises, because managed Splunk Cloud deployments do not include a deployment server. When configuring deployment clients for an on-premises deployment server, specify the hostname and port on which you are running the deployment server. For details about setting up deployment servers, see About deployment server and forwarder management.

To register the universal forwarder as a deployment client, run the following commands (assuming you have added the path to the Splunk forwarder installation directory to your PATH environment variable):

  1. splunk set deploy-poll <deployment server hostname>:<mgmtPort>.
  2. splunk restart

Step 5: Configure data inputs

To specify the data to be forwarded to Splunk Cloud, perform the following steps.

The steps in this section apply to self-service deployments.

  1. In the Splunk Cloud user interface, click Settings in the top menu bar.
  2. In the Search view, under Data on the right of the screen, click the Add Data button.
  3. On the Add Data view, click Forward.
  4. Next to Select Server Class, click New.
  5. Under Available host(s), click one or more forwarder hosts to add to the Selected host(s) box.
  6. In the New Server Class Name field, enter a name for the new server class.
  7. Click Next near the top of the screen.
  8. Select the type of data for the universal forwarder to collect. For this example choose Files & Directories.
  9. Enter the name of a file or directory containing data that you want to forward to Splunk Cloud. For example, /var/log.
  10. Click Next.
  11. In the Input Settings view, next to Source type, click Automatic.
  12. Click Review and verify your settings are correct.
  13. Click Submit.
  14. To display the data that was forwarded, click Start Searching.

For more information about adding data, see Configure the universal forwarder in the Splunk Enterprise Forwarder Manual.

Forward data to Splunk Cloud from Microsoft Windows
Forward data to Splunk Cloud from MacOS

This documentation applies to the following versions of Splunk Cloud: 7.0.8, 7.0.11, 7.0.13, 7.1.3, 7.1.6, 7.2.3, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 8.0.0, 8.0.1, 8.0.2001


The step 4 to hook splunk cloud mgmt port to UniversalForwarder has a misleading example: https://docs.splunk.com/Documentation/SplunkCloud/8.0.1/User/ForwardDataToSplunkCloudFromLinux#Step_4:_Enable_forwarder_management_in_Splunk_Web

The command should actually be `/Applications/SplunkForwarder/bin/splunk set deploy-poll prd-p-gxxnh2qlt7cx.cloud.splunk.com:8089`

January 9, 2020

As another reference to my comment below, the PANW Splunk Cloud GDI guide confirms this step as well:

Bsaeed splunk, Splunker
October 3, 2019

In Step 3: Download and install the universal forwarder credentials, we need to provide an addendum that lists steps to install the UF credentials via a Deployment Server. The doc guides through the process to install the UF credentials file splunkclouduf.spl and only follows the steps to install it directly on the UF itself, (there are no steps listed if using a DS).

In case of a DS, you have to untar the splunkclouduf.spl via tar -xvf before it can be added to the app bundle folder in $SPLUNK_HOME/etc/deployment-apps and pushed out to the clients.

This blog example also uses the extracted version of the .spl when it is deployed to the DS clients:

Bsaeed splunk, Splunker
October 3, 2019

1) There doesn't seem to be any mention either way, on this page or any other, as to whether step 3 on this page would also work for on-prem Heavy Forwarder instances. I strongly suspect that it would work just fine, however this page should probably clarify that.
As written today it may be forcing on-prem and hybrid customers to unnecessarily migrate inputs from HF's to UF's (in the false belief that it's necessary for cloud migration).

2) Also I am fairly sure that Step 4 is optional, and if you don't want to manage the forwarder like that, you can skip step 4? However both the first introductory paragraph of the page and step 4 itself, in their wording imply that it is required for the whole process to succeed.

3) Lastly, if you do clarify step 3 and whether or not it works for hybrid (Splunk on-prem + Splunk Cloud) deployments, then in the case of an HF, it may be good to also revisit step 4 + HF considerations.

March 15, 2019

Akanshajain, this is often due to a connectivity issue, such as a firewall blocking communication. Splunk Answers has more information and suggested paths for investigation. For example, see https://answers.splunk.com/answers/218422/tcpoutputproc-cooked-connection-to-iptimed-out.html.

Andrewb splunk, Splunker
May 16, 2017

hey i tried out this approach only but in my splunk cloud forwarder is not showing in Add Data of splunk . i open splunkd.log file and its showing errors " Cooked connection to ip= timed out". please help me

March 1, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters