Splunk® Light (Legacy)

Splunk Light Cloud Service

Download manual as PDF

This documentation does not apply to the most recent version of SplunkLight. Click here for the latest version.
Download topic as PDF

Forward data to a Splunk Light cloud service

Download and install the universal forwarder

1. Download the Splunk Universal Forwarder from Splunk.com. Choose the installer that matches the platform of the machine that will forward data to your Splunk Light instance.

http://www.splunk.com/en_us/download/universal-forwarder.html

2. Install the universal forwarder on the machine that hosts the data you want to index and search from Splunk Light. To install, configure, and deploy the universal forwarder, select one of the following topics in the Splunk Universal Forwarder Forwarder Manual.

Note: When installing on Windows, select the appropriate options for monitoring Local System, but do not choose any host or port numbers to configure.

Download and install the Universal Forwarder Credentials

1. In your Splunk Light instance, find and click Universal Forwarder in the left sidebar menu, under System.

2. Click Download Universal Forwarder Credentials to download the file splunkclouduf.spl, which contains a custom certificate with encryption keys to secure your data.

3. Add the Universal Forwarder credentials package to your universal forwarder.

  • On Unix, run the following command to install the credentials

<splunkufinstallhome>/bin/splunk install app <full path to splunkclouduf.spl> -auth admin:changeme

  • On Windows, run the following command to install the credentials

<splunkufinstallhome>\bin\splunk install app <full path to splunkclouduf.spl> -auth admin:changeme

Forward data to your Splunk Light cloud service

1. Add one or more monitor data inputs.

  • On Unix, run the following command to monitor the /var/logs directory

<splunkufinstallhome>/bin/splunk add monitor -auth admin:changeme /var/logs/

  • On Windows, run the following command to monitor the Windows Update Log file

<splunkufinstallhome>/bin/splunk add monitor -auth admin:changeme source c:\Windows\windowsupdate.log


2. Restart the universal forwarder.

  • On Unix, run the following command

<splunkufinstallhome>/bin/splunk restart

  • On Windows, run the following command

<splunkufinstallhome>\bin\splunk restart


3. Search to verfiy that your cloud instance receives the monitor data you added to the universal forwarder.

Forward data with a deployment server

1. Run the following command to connect your universal forwarder to your Splunk Light cloud service, which is the deployment-server.

<splunkufinstallhome>/bin/splunk set deploy-poll <deployment-server>:<mgmtPort> -auth admin:changeme

Where deployment-server is input-<your cloud host name> and mgmtPort is 8089. For example, if your cloud instance URL is https://something.cloud.splunk.com/, use the parameter input-something.cloud.splunk.com:8089.

2. Restart the universal forwarder.

  • On Unix, run the following command

<splunkufinstallhome>/bin/splunk restart

  • On Windows, run the following command

<splunkufinstallhome>\bin\splunk restart


3. On your universal forwarder, verify that a new file was created.

<splunkufinstallhome>/etc/system/local/deploymentclient.conf


4. In your Splunk Light instance, go to Add Data and select Forward.

It might take a few minutes before you see your universal forwarder listed.


Now you can continue to "Add data inputs to receive from a forwarder".

Last modified on 26 May, 2016

This documentation applies to the following versions of Splunk® Light (Legacy): 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters