Install and deploy a universal forwarder
You can use the Splunk universal forwarder to collect and forward data from other machines to your Splunk Light instance or Splunk Light cloud service. The universal forwarder is a separate Splunk software product that you need to install and configure before you can add a receiving data input in the Splunk Light instance.
Download the universal forwarder
You can download the Splunk Universal Forwarder from Splunk.com using the link below. Choose the installer that matches the platform of the machine that will forward data to your Splunk Light instance.
On a Splunk Light cloud service instance, you can also download the universal forwarder from the Universal Forwarder view. You can find this view by selecting it from the sidebar menu under System.
Install the universal forwarder
Install the universal forwarder on the machines that host the data you want to index and search from Splunk Light.
To install, configure, and deploy the universal forwarder, select one of the following topics in the Splunk Universal Forwarder Forwarder Manual.
- Install a Windows universal forwarder
Set your Splunk Light instance to receive data
On your Splunk Light instance, turn on the receiving port. This is also the port that you configure the universal forwarder to send the data inputs. See Receive data from a forwarder in the Getting Started Manual.
Configure the universal forwarder
You can configure the universal to do the following:
- Act as a forwarder-server to send data to your Splunk Light instance.
- Act as a deployment client, and lets you add data inputs using your Splunk Light instance.
The universal forwarder does not include a graphical user interface. The Windows installation GUI lets you apply these settings when you install. On Unix and Mac OS, you need to use the command line interface to do these configurations on the universal forwarder.
To configure the universal forwarder to send data to your Splunk Light instance, run the following command.
splunk add forward-server <host>:<port>
- <host> is the hostname or IP address for the receiving indexer, your Splunk Light instance.
- <port> is the receiving port you set on your Splunk Light instance.
To configure the universal forwarder as a deployment client, run the following command.
splunk set deploy-poll <host>:<port>
- <host> is the hostname or IP address for the deployment server, your Splunk Light instance.
- <port> is the management port for your Splunk Light instance.
If you configure your universal forwarder to act as a forwarder server, but not a deployment client, then you need to define data inputs on the forwarder. These data inputs do not get indexed on the universal forwarder. The forwarder sends them to your Splunk Light instance. Restart the universal forwarder to save your input configurations.
If you configure the universal forwarder to act as a deployment client, you can use the Add Data workflow on the receiving Splunk Light instance to define the data inputs to receive from the forwarders. See "Receive data from a forwarder" in the Getting Started Manual.
For more information about command line configurations for forwarding, see the command line help for forwarding.
splunk help forwarding
Verify that your forwarder settings work
Verify that data is coming to your instance by searching for the data on the receiver or Splunk Light instance. If you do not receive data after a few minutes, you may need to restart your universal forwarder before you search for the data again.
Run Splunk Light as a non-root user
About Splunk Light licensing
This documentation applies to the following versions of Splunk® Light (Legacy): 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5