Splunk® Light (Legacy)

Installation Manual

Download manual as PDF

This documentation does not apply to the most recent version of SplunkLight. Click here for the latest version.
Download topic as PDF

Install and deploy a universal forwarder

You can use the Splunk universal forwarder to collect and forward data from other machines to your Splunk Light instance or Splunk Light cloud service. The universal forwarder is a separate Splunk software product that you need to install and configure before you can add a receiving data input in the Splunk Light instance.

Download the universal forwarder

You can download the Splunk Universal Forwarder from Splunk.com using the link below. Choose the installer that matches the platform of the machine that will forward data to your Splunk Light instance.

http://www.splunk.com/en_us/download/universal-forwarder.html

On a Splunk Light cloud service instance, you can also download the universal forwarder from the Universal Forwarder view. You can find this view by selecting it from the sidebar menu under System.

Install the universal forwarder

Install the universal forwarder on the machines that host the data you want to index and search from Splunk Light.

To install, configure, and deploy the universal forwarder, select one of the following topics in the Splunk Universal Forwarder Forwarder Manual.

Set your Splunk Light instance to receive data

On your Splunk Light instance, turn on the receiving port. This is also the port that you configure the universal forwarder to send the data inputs. See Receive data from a forwarder in the Getting Started Manual.

Configure the universal forwarder

You can configure the universal to do the following:

  • Act as a forwarder-server to send data to your Splunk Light instance.
  • Act as a deployment client, and lets you add data inputs using your Splunk Light instance.

The universal forwarder does not include a graphical user interface. The Windows installation GUI lets you apply these settings when you install. On Unix and Mac OS, you need to use the command line interface to do these configurations on the universal forwarder.

To configure the universal forwarder to send data to your Splunk Light instance, run the following command.

splunk add forward-server <host>:<port>
  • <host> is the hostname or IP address for the receiving indexer, your Splunk Light instance.
  • <port> is the receiving port you set on your Splunk Light instance.

To configure the universal forwarder as a deployment client, run the following command.

splunk set deploy-poll <host>:<port>
  • <host> is the hostname or IP address for the deployment server, your Splunk Light instance.
  • <port> is the management port for your Splunk Light instance.

If you configure your universal forwarder to act as a forwarder server, but not a deployment client, then you need to define data inputs on the forwarder. These data inputs do not get indexed on the universal forwarder. The forwarder sends them to your Splunk Light instance. Restart the universal forwarder to save your input configurations.

If you configure the universal forwarder to act as a deployment client, you can use the Add Data workflow on the receiving Splunk Light instance to define the data inputs to receive from the forwarders. See "Receive data from a forwarder" in the Getting Started Manual.


For more information about command line configurations for forwarding, see the command line help for forwarding.

splunk help forwarding

Verify that your forwarder settings work

Verify that data is coming to your instance by searching for the data on the receiver or Splunk Light instance. If you do not receive data after a few minutes, you may need to restart your universal forwarder before you search for the data again.

Last modified on 30 July, 2020
PREVIOUS
Run Splunk Light as a non-root user
  NEXT
About Splunk Light licensing

This documentation applies to the following versions of Splunk® Light (Legacy): 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters