Forward data to Splunk Cloud from MacOS
To get data into Splunk Cloud, log into your Splunk Cloud deployment and perform the following steps:
- Download the Splunk Universal Forwarder installer for MacOS.
- Install the universal forwarder.
- Download and install the universal forwarder credentials.
- Enable forwarder management in Splunk Web. (Self-service Splunk Cloud deployments only.)
- Configure data inputs, which specify the data to be collected and forwarded.
The following detailed procedure tells you how to install and configure the universal forwarder on a Macintosh OS X machine.
Log into your Splunk Cloud deployment
The way you log in depends on whether your Splunk Cloud deployment is managed or self-service (for details, see Types of Splunk Cloud Deployment.)
Logging into a self-service Splunk Cloud deployment
- In your web browser, go to www.splunk.com.
- Click My Account.
- Click Log In.
- On the Log In page, enter the user name and password provided in your "Welcome" email.
- Choose My Account > Instances and click Access Instance. The Splunk Cloud user interface displays.
Logging into a managed Splunk Cloud deployment
- In your web browser, go to the URL specified for your deployment. (Your company selected this URL as part of the process of buying Splunk Cloud.)
- Enter the username and password specified in your Welcome email provided to you by your Splunk administrator.
Step 1: Download the universal forwarder
From the Splunk Cloud Home page:
- In the left sidebar, click Universal Forwarder.
- On the splunkclouduf Home page, click Download Universal Forwarder.
- On the Download Splunk Universal Forwarder page, choose your Macintosh platform.
- When prompted, click Save File and click OK to download the installer as a dmg file. By default, the file is saved in the Downloads directory.
Step 2: Install the universal forwarder
Install the universal forwarder on the computer that contains or has access to the data that you want to collect and forward to Splunk Cloud. If you want to install the universal forwarder on a different computer, copy the universal forwarder installer file to that machine and continue with the steps below.
To install the universal forwarder on a MacOS machine:
- Navigate to the folder or directory where the installer is located.
- Double-click the DMG file.
A Finder window that contains the
- Double-click the
Install Splunk Universal Forwardericon to start the installer.
If you're installing on OSX 10.15, right-click the
Install Splunk Universal Forwardericon and click Open. When prompted again, click Open.
- The Introduction panel lists version and copyright information. Click Continue.
- The License panel lists shows the software license agreement. Click Continue.
- You will be asked to agree to the terms of the software license agreement. Click Agree.
- In the Installation Type panel, click Install. This installs the universal forwarder in the default directory
- You are prompted to type the password that you use to login to your computer.
- When the installation finishes, a popup informs you that an initialization must be performed. Click OK.
- A terminal window appears and you are prompted to specify a userid and password to use with the universal forwarder.
The password must be at least 8 characters in length. The cursor will not advance as you type.
Make note of the userid and password. You will use these credentials to authenticate when using CLI commands on the forwarder.
- A popup appears asking what you would like to do. Click Start Splunk.
- Close the Install Splunk Forwarder window.
The installer places a shortcut on the Desktop so that you can start or stop the universal forwarder from your Desktop any time.
Step 3: Download and install the universal forwarder credentials
To enable the forwarder to send data to Splunk Cloud, you must download the universal forwarder credentials file, which contains a custom certificate for your Splunk Cloud deployment. The universal forwarder credentials are different from the credentials that you use to log into Splunk Cloud.
When you install the credentials file into the universal forwarder, note that the default username and password for a first-time installation of the universal forwarder is admin:changeme. To change the admin password, run the edit user command. For example (assuming you have added the path to the
splunk executable to your PATH environment variable):
splunk edit user admin -password mynewpassword -auth admin:changeme
To install your universal forwarder credentials from the Splunk Cloud Home page:
- In the left sidebar, click Universal Forwarder.
- On the Universal Forwarder page, click Download Universal Forwarder Credentials to download the
- When prompted, click Save File and click OK. By default, the
splunkclouduf.splfile is downloaded to the Downloads directory. If downloaded to a different location, make note of the location.
- Open a terminal window. (To locate the Terminal application, launch Finder and navigate to Applications > Utilities > Terminal.)
- In the Terminal window, run the following command:
/Applications/SplunkForwarder/bin/splunk install app <full path to splunkclouduf.spl> -auth <username>:<password>where <full path to splunkclouduf.spl> is the path to the directory where the
splunkclouduf.splfile is located and <username>:<password> are the username and password of an existing admin account on the universal forwarder. The default is admin:change. For example,
/Applications/SplunkForwarder/bin/splunk install app /Users/johnsmith/Downloads/splunkclouduf.spl -auth admin:changeme
- To restart the universal forwarder, run the following command:
Step 4: Enable forwarder management in Splunk Web
You can configure a self-service Splunk Cloud instance as a deployment server that distributes updates to forwarders using Splunk Web. To specify the deployment server host name for self-service deployments, use the URL of your Splunk Cloud instance, omitting the leading "https://" and preceding the URL with "input-". Example:
/Applications/SplunkForwarder/bin/splunk set deploy-poll input-prd-p-gxxnh2qlt7cx.cloud.splunk.com:8089 (The default management port is 8089. )
If your Splunk Cloud deployment is a managed deployment and you want to use Splunk Web to manage forwarders, you must run a deployment server on premises, because managed Splunk Cloud deployments do not include a deployment server. When configuring deployment clients for an on-premises deployment server, specify the hostname and port on which you are running the deployment server. For details about setting up deployment servers, see About deployment server and forwarder management.
To register the universal forwarder as a deployment client, run the following commands:
./Applications/SplunkForwarder/bin/splunk set deploy-poll <deployment server hostname>:<mgmtPort>.
Step 5: Configure data inputs
To specify the data to be forwarded to Splunk Cloud, perform the following steps.
The steps in this section apply to self-service deployments.
- In the Splunk Cloud user interface, click Settings in the top menu bar.
- In the Settings view, under Data on the right of the screen, click the Add Data button.
- On the Add Data view, click Forward.
- Next to Select Server Class, click New.
- Under Available host(s), click one or more forwarder hosts to add to the Selected host(s) box.
- In the New Server Class Name field, enter a name for the new server class.
- Click Next near the top of the screen.
- Select the type of data for the universal forwarder to collect. For this example choose Files & Directories
- Enter the name of a file or directory containing data that you want to forward to Splunk Cloud. For example,
- Click Next.
- In the Input Settings view, next to Source type, click Automatic.
- Click Review and verify your settings are correct.
- Click Submit.
- To display the data that was forwarded, click Start Searching.
For more information about adding data, see Configure the universal forwarder in the Splunk Enterprise Forwarder Manual.
Forward data to Splunk Cloud from Linux
Forward data from files and directories to Splunk Cloud
This documentation applies to the following versions of Splunk Cloud™: 8.0.2001