Forward data to Splunk Light cloud service using Microsoft Windows
The Splunk Universal Forwarder is the easiest and preferred way of getting data from remote systems into the Splunk Light cloud service. The universal forwarder is a separate Splunk software product that needs to be installed and configured as a prerequisite to collect data from a remote system.
The following steps are for a default configuration of the universal forwarder to get data into the Splunk Light cloud service. In these steps, you will:
- Download and install the universal forwarder software, which includes configuring the universal forwarder to act as a deployment client.
- Download and install the universal forwarder credentials, which enables the forwarder to communicate with the Splunk Light cloud service.
- Configure inputs to collect data from the host that the universal forwarder is on.
Log in to your Splunk Light cloud service
1. Log into the Splunk Light cloud service.
- If you have Splunk Light cloud service, you can access your instance by logging into your www.splunk.com account and going to My Account > Instances and click Access Instance. The Splunk Light user interface displays.
- If you do not have Splunk Light cloud service, you must provision an instance first before continuing with these steps. Visit the Splunk Light website to learn how to try or buy Splunk Light cloud service.
Step 1: Download the universal forwarder
1. Download the Splunk Universal Forwarder for Windows.
2. Once you are logged into the Splunk Light user interface, click the menu at the top left, which is the sidebar menu, and select System > Universal Forwarder.
3. In Step 1 of the Universal Forwarder view, click Download Universal Forwarder. You are re-directed to the Splunk Universal Forwarder downloads page on www.splunk.com.
4. Click the Windows button and click the installer that is appropriate for your platform.
5. Click Save File and click OK to download the splunkforwarder file. The full download file name is similar to splunkforwarder-<release>-f44afce176d0-x64-release.msi.
Note: The splunkforwarder file is typically saved to the Downloads directory by default (for example, \Users\<username>\Downloads\). If downloaded to a different location, make note of the location.
Step 2: Install the universal forwarder
Install the universal forwarder on the machine that holds, or has access to, the data you want to collect and forward to the Splunk Light cloud service.
Note: If you want to install the universal forwarder on a different machine, copy the universal forwarder package file to that machine and continue with the steps below.
1. Double-click the splunkforwarder file to launch and run the installer.
2. Read the license agreement and select Check this box to accept the License Agreement.
3. Uncheck the Use this UniversalForwarder with on-premises Splunk Enterprise. Uncheck if you want this UniversalForwarder to contact a Splunk Cloud instance.
4. Click Next.
5. On the Deployment Server dialog, in the Hostname or IP field enter your Splunk Light cloud service hostname. <Splunk Light cloud service hostname> is the cloud instance URL, less https:// and prepended with input-, such as input-instance.cloud.splunk.com or input-abc-d-12abcdefghij.cloud.splunk.com. For example,
6. Enter the port number 8089. This is the default management port.
7. Click Next.
8. Click Install for the Setup Wizard to begin the installation. Note: The SplunkUniversalForwarder is typically installed in the Program Files directory by default. If installed in another location, make note of the location.
9. Click Finish when then universal forwarder installation is successfully installed.
Step 3: Download the universal forwarder credentials
Download the universal forwarder credentials file, which contains a custom certificate assigned to your specific instance of Splunk Light cloud service. When installed, these credentials enable the forwarder to send data to the Splunk Light cloud service.
1. In the Splunk Light user interface, go back to the Universal Forwarder dialog. In the sidebar menu select System > Universal Forwarder.
2. In Step 3 click Download Universal Forwarder Credentials to download the splunkclouduf.spl file.
3. Click Save File and click OK.
Note: The splunkclouduf.spl file is typically installed in the Downloads directory by default (for example, \Users\<username>\Downloads\). If installed in another location, make note of the location.
Step 4: Install the universal forwarder credentials
Add the universal forwarder credentials to the universal forwarder to allow forwarding to the Splunk Light cloud service.
Note: When you install the credentials file into the universal forwarder, note that the default username and password for a first-time installation of the universal forwarder is admin:changeme. To change the admin password, run the edit user command. For example:
splunk edit user admin -password foo -auth admin:changeme.
1. Launch a command prompt window. Note: You can search for a command prompt, or you can typically access one by clicking the Start button > All Programs > Accessories > Command Prompt.
2. Navigate to the bin directory of the SplunkUniversalForwarder. For example
cd \Program Files\SplunkUniversalForwarder\bin\
3. Apply the universal forwarder credentials file splunkclouduf.spl to your SplunkUniversalForwarder. Enter the following command:
splunk install app <full path to splunkclouduf.spl> -auth <username>:<password>
- <full path to splunkclouduf.spl> is the path to the directory where the splunkclouduf.spl file is located. In this example, the default Downloads directory \Users\<username>\Downloads\ is used.
- <username>:<password> are the username and password of an existing admin account on the universal forwarder. For example
splunk install app \Users\johnsmith\Downloads\splunkclouduf.spl -auth admin:changeme
4. Restart the universal forwarder. Enter the following command:
You should now be able to see the universal forwarder listed in the Splunk Light cloud service user interface Forwarder Management view (in the sidebar menu, select System > Forwarder Management.) This can take up to 15 minutes as the Splunk Light cloud service updates.
Step 5: Specify data inputs to forward data to Splunk Light
Specify which data inputs the universal forwarder uses to collect data.
1. In the Splunk Light user interface, click Search in the top menu bar.
2. In the Search view, under Data on the right of the screen, click the Add Data button.
3. On the Add Data view, click Forward.
4. Next to Select Server Class, click New. Available host(s) are listed, which are the hostnames of the universal forwarders (deployment clients) connected to the Splunk Light cloud service (deployment server). Bold text
5. Under Available host(s), click one or more forwarder hosts to add to the Selected host(s) box. This allows you to add a new Server Class.
6. In the New Server Class Name field, enter a name for the new server class.
7. Click Next near the top of the screen.
8. Select the type of data for the universal forwarder to collect. In this example, Files & Directories is selected. Click a source option:
- Local Event Logs to collect event logs from the machine you are using.
- Files & Directories for file uploads and directory monitoring.
- TCP/UDP for network port inputs.
- Scripts for data from APIs and services.
9. Enter a File or Directory name. For example,
10. Click Next near the top of the screen.
11. In the Input Settings view, next to Source type click Automatic.
12. Click Review near the top of the screen. This view provides a summary of the data input configuration that is being used to collect data from the universal forwarder and forward to the Splunk Light cloud service.
13. Click Submit.
14. The File input has been created successfully displays. Click Start Searching to see the data in the Search view. This might take a few moments to display, as the Splunk Light cloud service updates.
To continue adding data and to learn more about searching and reporting, see:
- About adding data to Splunk Light in the Getting Started Manual.
- About Splunk Light Search and Reporting Examples and Scenarios in Search and Reporting Examples.
About forwarding data to a Splunk Light cloud service
Forward data to Splunk Light cloud service using Linux
This documentation applies to the following versions of Splunk® Light: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0