Forward data to Splunk Light cloud service using Mac OS
The Splunk Universal Forwarder is the easiest and preferred way of getting data from remote systems into the Splunk Light cloud service. The universal forwarder is a separate Splunk software product that needs to be installed and configured as a prerequisite to collect data from a remote system.
The following steps are for a default configuration of the universal forwarder to get data into the Splunk Light cloud service. In these steps, you will:
- Download and install the universal forwarder software.
- Download and install the universal forwarder credentials, which enables the forwarder to communicate with the Splunk Light cloud service.
- Configure the universal forwarder to act as a deployment client.
- Configure inputs to collect data from the host that the universal forwarder is on.
Log into the Splunk Light cloud service
Log into the Splunk Light cloud service.
- If you have Splunk Light cloud service, you can access your instance by logging into your www.splunk.com account and going to My Account > Instances and click Access Instance. The Splunk Light user interface displays.
- If you do not have Splunk Light cloud service, you must provision an instance first before continuing with these steps. Visit the Splunk Light website to learn how to try or buy Splunk Light cloud service.
Step 1: Download the universal forwarder
Download the Splunk Universal Forwarder for Mac OS.
1. Once you are logged into the Splunk Light user interface, click the menu at the top left of the screen to open the sidebar menu and select System > Universal Forwarder.
2. In Step 1 of the Universal Forwarder view, click Download Universal Forwarder. You are re-directed to the Splunk Universal Forwarder downloads page on www.splunk.com.
3. Click the Mac OS button and click the installer that is appropriate for your platform.
4. Click Save File to download the splunkforwarder file. The full download file name is similar to splunkforwarder-<release>-f2c83...8108-macosx-10.9.intel.dmg.
By default, the splunkforwarder file is saved to the Downloads (/Users/<username>/Downloads/) directory.
Step 2: Install the universal forwarder
Install the universal forwarder on the machine that holds, or has access to, the data you want to collect and forward to the Splunk Light cloud service.
Note: If you want to install the universal forwarder on a different machine, copy the universal forwarder package file to that machine and continue with the steps below.
1. Double-click the splunkforwarder file to launch the installer.
2. Double-click the Install Splunk Universal Forwarder icon.
3. The Introduction dialog displays, indicating the version and copyright information. Click Continue.
4. Read the Software License Agreement. Click Continue to agree to the license terms.
5. Click Agree to confirm you accept the software license agreement and to continue with the installation.
6. The Installation Type dialog displays, showing a pre-installation summary. Click Install.
7. Confirm you want to install new software. Enter your Username and Password for the machine you are installing the universal forwarder on, and click Install Software.
8. The installation completes and indicates the installation was successful. Click Close.
9. A brief initialization performs. Click OK to continue. The installation starts and might take a few minutes to complete.
10. Click Start Splunk.
11. Click OK to acknowledge the universal forwarder is installed and started.
By default, the SplunkForwarder is installed in the /Applications directory.
Step 3: Download the universal forwarder credentials
Download the universal forwarder credentials file, which contains a custom certificate assigned to your specific instance of Splunk Light cloud service. When installed, these credentials enable the forwarder to send data to the Splunk Light cloud service.
1. In the Splunk Light user interface, in the sidebar menu select System > Universal Forwarder.
2. In Step 3 click Download Universal Forwarder Credentials to download the splunkclouduf.spl file.
3. Click Save File and click OK.
By default, the splunkclouduf.spl file is installed in the Downloads (/Users/<username>/Downloads/) directory.
Step 4: Install the universal forwarder credentials
Add the universal forwarder credentials to the universal forwarder to allow forwarding to the Splunk Light cloud service.
Note: When you install the credentials file into the universal forwarder, note that the default username and password for a first-time installation of the universal forwarder is admin:changeme. To change the admin password, run the edit user command. For example:
./splunk edit user admin -password foo -auth admin:changeme.
1. Launch a terminal window. A terminal window can typically be found on your Mac by going to Finder > Applications > Utilities > Terminal.
2. Apply the universal forwarder credentials file splunkclouduf.spl to the SplunkForwarder. Enter the following command:
/Applications/SplunkForwarder/bin/splunk install app <full path to splunkclouduf.spl> -auth <username>:<password>
- <full path to splunkclouduf.spl> is the path to the directory where the splunkclouduf.spl file is located. In this example, the default Downloads directory is used.
- <username>:<password> are the username and password of an existing admin account on the universal forwarder.
/Applications/SplunkForwarder/bin/splunk install app /Users/johnsmith/Downloads/splunkclouduf.spl -auth admin:changeme
Step 5: Configure the universal forwarder to be a deployment client
Configure the universal forwarder to be a deployment client. This allows you to configure data inputs on the universal forwarder from the Splunk Light cloud service, which is the deployment server.
1. Register the universal forwarder as a deployment client of the Splunk Light cloud service, the deployment server. Enter the following command:
/Applications/SplunkForwarder/bin/splunk set deploy-poll api-<Splunk Light cloud service hostname>:<mgmtPort>
- <Splunk Light cloud service hostname> is the cloud instance URL, less https://, such as instance.cloud.splunk.com or abc-d-12abcdefghij.cloud.splunk.com, and prepended with api-
- <mgmtPort> default is 8089
/Applications/SplunkForwarder/bin/splunk set deploy-poll api-abc-d-12abcdefghij.cloud.splunk.com:8089
2. Restart the universal forwarder. Enter the following command:
You should now be able to see the universal forwarder listed in the Splunk Light cloud service user interface Forwarder Management view (in the sidebar menu, select System > Forwarder Management.) This can take up to 15 minutes as the Splunk Light cloud service updates.
Step 6: Specify data inputs to forward data to Splunk Light
Specify which data inputs the universal forwarder uses to collect data.
1. In the Splunk Light user interface, click Search in the top menu bar.
2. In the Search view, under Data on the right of the screen, click the Add Data button.
3. On the Add Data view, click Forward.
4. Next to Select Server Class, click New. Available host(s) are listed, which are the hostnames of the universal forwarders (deployment clients) connected to the Splunk Light cloud service (deployment server).
5. Under Available host(s), click one or more forwarder hosts to add to the Selected host(s) box. This allows you to add a new Server Class.
6. In the New Server Class Name field, enter a name for the new server class.
7. Click Next near the top of the screen.
8. Select the type of data for the universal forwarder to collect. In this example, Files & Directories is selected. Click a source option:
- Files & Directories for file uploads and directory monitoring.
- TCP/UDP for network port inputs.
- Scripts for data from APIs and services.
9. Enter a File or Directory name. For example,
10. Click Next near the top of the screen.
11. In the Input Settings view, next to Source type click Automatic.
12. Click Review near the top of the screen. This view provides a summary of the data input configuration that is being used to collect data from the universal forwarder and forward to the Splunk Light cloud service.
13. Click Submit.
14. The File input has been created successfully displays. Click Start Searching to see the data in the Search view. This might take a few moments to display, as the Splunk Light cloud service updates.
To continue adding data and to learn more about searching and reporting, see:
- About adding data to Splunk Light in the Getting Started Manual.
- About Splunk Light Search and Reporting Examples and Scenarios in Search and Reporting Examples.
This documentation applies to the following versions of Splunk® Light (Legacy): 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6