Splunk® Light

Getting Started Manual

Download manual as PDF

Download topic as PDF

Forward data to Splunk Light using Mac OS

The Splunk Universal Forwarder is the easiest and preferred way of getting data from remote systems into Splunk Light, also known as forwarding data to Splunk Light. The universal forwarder is a separate Splunk software product that needs to be installed and configured as a prerequisite to collect data from a remote system.

The following steps are for a default configuration of the universal forwarder to get data into Splunk Light. In these steps, you will:

  • Configure Splunk Light to receive data from the universal forwarder.
  • Download and install the universal forwarder software.
  • Configure the universal forwarder to send data to the Splunk Light instance.
  • Configure the universal forwarder to act as a deployment client.
  • Configure inputs to collect data from the host that the universal forwarder is on.

Log into Splunk Light

Log into Splunk Light, also referred to as your Splunk Light instance.

  • If you have Splunk Light installed, log into your Splunk Light instance to access the user interface.
  • If you do not have Splunk Light, you must provision an instance first before continuing with these steps. Visit the Splunk Light website to learn how to try or buy Splunk Light.

Step 1: Configure Splunk Light to receive data from the universal forwarder

Configure the Splunk Light instance to receive data from the universal forwarder.

1. From the Splunk Light user interface, click the menu at the top left of the screen to open the sidebar menu and select Data > Data receiving.

2. Click Add new.

3. In the Listen on this port field, enter the port number that you want the Splunk Light instance to listen on and click Save.

  • The TCP port is also known as the receiving port. The default port is 9997.
  • The Splunk Light instance begins listening on the port that you entered.

Step 2: Download the universal forwarder

Download the Splunk Universal Forwarder for Mac OS from Splunk.com using the link below. Choose the installer that matches the platform of the machine that will forward data to your Splunk Light instance.

1. From a web browser, go to: http://www.splunk.com/en_us/download/universal-forwarder.html

2. Click the Mac OS button and click the installer that is appropriate for your platform.

3. Click Save File to download the splunkforwarder file. The full download file name is similar to splunkforwarder-<release>-f2c83...8108-macosx-10.9.intel.dmg.

By default, the splunkforwarder file is saved to the Downloads (/Users/<username>/Downloads/) directory.

Step 3: Install the universal forwarder

Install the universal forwarder on the machine that holds, or has access to, the data you want to collect and forward to Splunk Light.

Note: If you want to install the universal forwarder on a different machine, copy the universal forwarder package file to that machine and continue with the steps below.

1. Double-click the splunkforwarder file to launch the installer.

2. Double-click the Install Splunk Universal Forwarder icon.

3. The Introduction dialog displays, indicating the version and copyright information. Click Continue.

4. Read the Software License Agreement. Click Continue to agree to the license terms.

5. Click Agree to confirm you accept the software license agreement and to continue with the installation.

6. The Installation Type dialog displays, showing a pre-installation summary. Click Install.

7. Confirm you want to install new software. Enter your Username and Password for the machine you are installing the universal forwarder on, and click Install Software.

8. The Summary dialog displays indicating the installation was successful. Click Close.

9. A brief initialization performs. Click OK to continue. The installation starts and might take a few minutes to complete.

10. Click Start Splunk.

11. Click OK to acknowledge the universal forwarder is installed and started.

By default, the SplunkForwarder is installed in the /Applications directory.

Step 4: Configure the universal forwarder to send data to Splunk Light

Configure the universal forwarder to send data to the Splunk Light instance.

1. Launch a terminal window. A terminal window can typically be found on your Mac by going to Finder > Applications > Utilities > Terminal.

2. Enter the following command:

/Applications/SplunkForwarder/bin/splunk add forward-server <host>:<port> -auth <username>:<password>

  • <host> is the hostname or IP address of the Splunk Light instance that will receive the data. In this example, the hostname is mycompany.
  • <port> is the receiving port you set on the Splunk Light instance. The default port is 9997.
  • <username>:<password> are the username and password used to log into the universal forwarder. In this example, the username and password are admin:changeme.

For example, /Applications/SplunkForwarder/bin/splunk add forward-server mycompany:9997 -auth admin:changeme

Step 5: Configure the universal forwarder to be a deployment client

Configure the universal forwarder to be a deployment client. This allows you to configure data inputs on the universal forwarder from your Splunk Light instance, which is the deployment server.

1. Register the universal forwarder as a deployment client of the Splunk Light instance, the deployment server. Enter the following command:

/Applications/SplunkForwarder/bin/splunk set deploy-poll <host>:<mgmtPort>

  • <host> is the hostname or IP address of the Splunk Light instance. In this example, the hostname is mycompany.
  • <mgmtPort> is the management port of the Splunk Light instance. The default is 8089.

For example, /Applications/SplunkForwarder/bin/splunk set deploy-poll mycompany:8089

2. Restart the universal forwarder. Enter the following command:

/Applications/SplunkForwarder/bin/splunk restart

You should see the universal forwarder listed in the Splunk Light user interface Forwarder Management view (in the sidebar menu, select System > Forwarder Management.) This can take a few minutes to update.

Step 6: Specify data inputs to forward data to Splunk Light

Specify which data inputs the universal forwarder uses to collect data.

1. In the Splunk Light user interface, click Search in the top menu bar.

2. In the Search view, under Data on the right of the screen, click the Add Data button.

3. On the Add Data view, click Forward.

4. Next to Select Server Class, click New. Available host(s) are listed, which are the hostnames of the universal forwarders (deployment clients) connected to the Splunk Light instance (deployment server).

5. Under Available host(s), click one or more forwarder hosts to add to the Selected host(s) box. This allows you to add a new Server Class.

6. In the New Server Class Name field, enter a name for the new server class.

7. Click Next near the top of the screen.

8. Select the type of data for the universal forwarder to collect. In this example, Files & Directories is selected. Click a source option:

  • Files & Directories for file uploads and directory monitoring.
  • TCP/UDP for network port inputs.
  • Scripts for data from APIs and services.

9. Enter a File or Directory name. For example, /var/log

10. Click Next near the top of the screen.

11. In the Input Settings view, next to Source type click Automatic.

12. Click Review near the top of the screen. This view provides a summary of the data input configuration that is being used to collect data from the universal forwarder and forward to the Splunk Light instance.

13. Click Submit.

14. The File input has been created successfully displays. Click Start Searching to see the data in the Search view. This might take a few moments to display on the Search page.

Learn more

To continue adding data and to learn more about searching and reporting, see:

PREVIOUS
Forward data to Splunk Light using Linux
  NEXT
Check the status of forwarders in Splunk Light

This documentation applies to the following versions of Splunk® Light: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters