Forward data to Splunk Light using Microsoft Windows
The Splunk Universal Forwarder is the easiest and preferred way of getting data from remote systems into Splunk Light, also known as forwarding data to Splunk Light. The universal forwarder is a separate Splunk software product that needs to be installed and configured as a prerequisite to collect data from a remote system.
The following steps are for a default configuration of the universal forwarder to get data into Splunk Light. In these steps, you will:
- Configure Splunk Light to receive data from the universal forwarder.
- Download and install the universal forwarder software, which includes:
- Configure the universal forwarder to act as a deployment client.
- Configure the universal forwarder to send data to the Splunk Light instance.
- Configure inputs to collect data from the host that the universal forwarder is on.
Log into Splunk Light
Log into Splunk Light, also referred to as your Splunk Light instance.
- If you have Splunk Light installed, log into your instance to access the user interface.
- If you do not have Splunk Light, you must provision an instance first before continuing with these steps. Visit the Splunk Light website to learn how to try or buy Splunk Light.
Step 1: Configure Splunk Light to receive data from the universal forwarder
Configure the Splunk Light instance to receive data from the universal forwarder.
1. From the Splunk Light user interface, click the menu at the top left of the screen to open the sidebar menu and select Data > Data receiving.
2. Click Add new.
3. In the Listen on this port field, enter the port number that you want the Splunk Light instance to listen on and click Save.
- The TCP port is also known as the receiving port.
- The default port is 9997.
The Splunk Light instance begins listening on the port that you entered.
Step 2: Download the universal forwarder
Download the Splunk Universal Forwarder for Windows from Splunk.com using the link below. Choose the installer that matches the platform of the machine that will forward data to your Splunk Light instance.
1. From a web browser, go to: http://www.splunk.com/en_us/download/universal-forwarder.html
2. Click the Windows button and click the installer that is appropriate for your platform.
3. Click Save File and click OK to download the splunkforwarder file. The full download file name is similar to splunkforwarder-<release>-f44afce176d0-x64-release.msi.
Note: The splunkforwarder file is typically saved to the Downloads directory by default (for example, \Users\<username>\Downloads\). If downloaded to a different location, make note of the location.
Step 3: Install the universal forwarder
Install the universal forwarder on the machine that holds, or has access to, the data you want to collect and forward to Splunk Light.
Note: If you want to install the universal forwarder on a different machine, copy the universal forwarder package file to that machine and continue with the steps below.
1. Double-click the splunkforwarder file to launch and run the installer.
2. Read the license agreement. If you agree to the terms of the license, select Check this box to accept the License Agreement and click Next.
3. On the Deployment Server dialog, in the Hostname or IP field enter the hostname or IP address of the Splunk Light instance, which is the deployment server.
4. Enter the port number 8089. This is the default management port.
5. Click Next.
6. On the Receiving Indexer dialog, in the Hostname or IP field enter the hostname or IP address of the Splunk Light instance, which is the receiving server.
7. Enter the port number 9997. This is the default receiving port.
8. Click Install for the Setup Wizard to perform the installation.
Note: The SplunkUniversalForwarder is typically installed in the Program Files directory by default. If installed in another location, make note of the location.
9. Click Finish. The universal forwarder installation is successfully installed and started.
You should see the universal forwarder listed in the Splunk Light user interface Forwarder Management and Forwarder Monitoring views (in the sidebar menu, select System > Forwarder Management or Forwarder Monitoring.) This can take a few minutes to update.
Step 4: Specify data inputs to forward data to Splunk Light
Specify which data inputs the universal forwarder uses to collect data.
1. In the Splunk Light user interface, click Search in the top menu bar.
2. In the Search view, under Data on the right of the screen, click the Add Data button.
3. On the Add Data view, click Forward.
4. Next to Select Server Class, click New.
- Available host(s) are listed, which are the hostnames of the universal forwarders (deployment clients) connected to the Splunk Light instance (deployment server).
5. Under Available host(s), click one or more forwarder hosts to add to the Selected host(s) box. This allows you to add a new Server Class.
6. In the New Server Class Name field, enter a name for the new server class.
7. Click Next near the top of the screen.
8. Select the type of data for the universal forwarder to collect. Click a source option:
- Files & Directories for file uploads and directory monitoring.
- TCP/UDP for network port inputs.
- Scripts for data from APIs and services. In this example, Files & Directories is selected.
9. Enter a File or Directory name. For example,
10. Click Next near the top of the screen.
11. In the Input Settings view, next to Source type click Automatic.
12. Click Review near the top of the screen. This view provides a summary of the data input configuration that is being used to collect data from the universal forwarder and forward to the Splunk Light instance.
13. Click Submit.
14. The File input has been created successfully displays. Click Start Searching to see the data in the Search view. This might take a few moments to display on the Search page.
To continue adding data and to learn more about searching and reporting, see:
- About adding data to Splunk Light in the Getting Started Manual.
- About Splunk Light Search and Reporting Examples and Scenarios in Search and Reporting Examples.
Use HTTP Event Collector in Splunk Light
Forward data to Splunk Light using Linux
This documentation applies to the following versions of Splunk® Light: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1