Forward data to Splunk Light using Mac OS
The Splunk Universal Forwarder is the easiest and preferred way of getting data from remote systems into Splunk Light, also known as forwarding data to Splunk Light. The universal forwarder is a separate Splunk software product that needs to be installed and configured as a prerequisite to collect data from a remote system.
The following steps are for a default configuration of the universal forwarder to get data into Splunk Light. In these steps, you will:
- Configure Splunk Light to receive data from the universal forwarder.
- Download and install the universal forwarder software.
- Configure the universal forwarder to send data to the Splunk Light instance.
- Configure the universal forwarder to act as a deployment client.
- Configure inputs to collect data from the host that the universal forwarder is on.
Log into Splunk Light
Log into Splunk Light, also referred to as your Splunk Light instance.
- If you have Splunk Light installed, log into your Splunk Light instance to access the user interface.
- If you do not have Splunk Light, you must provision an instance first before continuing with these steps. Visit the Splunk Light website to learn how to try or buy Splunk Light.
Step 1: Configure Splunk Light to receive data from the universal forwarder
Configure the Splunk Light instance to receive data from the universal forwarder.
1. From the Splunk Light user interface, click the menu at the top left of the screen to open the sidebar menu and select Data > Data receiving.
2. Click Add new.
3. In the Listen on this port field, enter the port number that you want the Splunk Light instance to listen on and click Save.
- The TCP port is also known as the receiving port. The default port is 9997.
- The Splunk Light instance begins listening on the port that you entered.
Step 2: Download the universal forwarder
Download the Splunk Universal Forwarder for Mac OS from Splunk.com using the link below. Choose the installer that matches the platform of the machine that will forward data to your Splunk Light instance.
1. From a web browser, go to: http://www.splunk.com/en_us/download/universal-forwarder.html
2. Click the Mac OS button and click the installer that is appropriate for your platform.
3. Click Save File to download the splunkforwarder file. The full download file name is similar to splunkforwarder-<release>-f2c83...8108-macosx-10.9.intel.dmg.
By default, the splunkforwarder file is saved to the Downloads (/Users/<username>/Downloads/) directory.
Step 3: Install the universal forwarder
Install the universal forwarder on the machine that holds, or has access to, the data you want to collect and forward to Splunk Light.
Note: If you want to install the universal forwarder on a different machine, copy the universal forwarder package file to that machine and continue with the steps below.
1. Double-click the splunkforwarder file to launch the installer.
2. Double-click the Install Splunk Universal Forwarder icon.
3. The Introduction dialog displays, indicating the version and copyright information. Click Continue.
4. Read the Software License Agreement. Click Continue to agree to the license terms.
5. Click Agree to confirm you accept the software license agreement and to continue with the installation.
6. The Installation Type dialog displays, showing a pre-installation summary. Click Install.
7. Confirm you want to install new software. Enter your Username and Password for the machine you are installing the universal forwarder on, and click Install Software.
8. The Summary dialog displays indicating the installation was successful. Click Close.
9. A brief initialization performs. Click OK to continue. The installation starts and might take a few minutes to complete.
10. Click Start Splunk.
11. Click OK to acknowledge the universal forwarder is installed and started.
By default, the SplunkForwarder is installed in the /Applications directory.
Step 4: Configure the universal forwarder to send data to Splunk Light
Configure the universal forwarder to send data to the Splunk Light instance.
1. Launch a terminal window. A terminal window can typically be found on your Mac by going to Finder > Applications > Utilities > Terminal.
2. Enter the following command:
/Applications/SplunkForwarder/bin/splunk add forward-server <host>:<port> -auth <username>:<password>
- <host> is the hostname or IP address of the Splunk Light instance that will receive the data. In this example, the hostname is mycompany.
- <port> is the receiving port you set on the Splunk Light instance. The default port is 9997.
- <username>:<password> are the username and password used to log into the universal forwarder. In this example, the username and password are admin:changeme.
/Applications/SplunkForwarder/bin/splunk add forward-server mycompany:9997 -auth admin:changeme
Step 5: Configure the universal forwarder to be a deployment client
Configure the universal forwarder to be a deployment client. This allows you to configure data inputs on the universal forwarder from your Splunk Light instance, which is the deployment server.
1. Register the universal forwarder as a deployment client of the Splunk Light instance, the deployment server. Enter the following command:
/Applications/SplunkForwarder/bin/splunk set deploy-poll <host>:<mgmtPort>
- <host> is the hostname or IP address of the Splunk Light instance. In this example, the hostname is mycompany.
- <mgmtPort> is the management port of the Splunk Light instance. The default is 8089.
/Applications/SplunkForwarder/bin/splunk set deploy-poll mycompany:8089
2. Restart the universal forwarder. Enter the following command:
You should see the universal forwarder listed in the Splunk Light user interface Forwarder Management view (in the sidebar menu, select System > Forwarder Management.) This can take a few minutes to update.
Step 6: Specify data inputs to forward data to Splunk Light
Specify which data inputs the universal forwarder uses to collect data.
1. In the Splunk Light user interface, click Search in the top menu bar.
2. In the Search view, under Data on the right of the screen, click the Add Data button.
3. On the Add Data view, click Forward.
4. Next to Select Server Class, click New. Available host(s) are listed, which are the hostnames of the universal forwarders (deployment clients) connected to the Splunk Light instance (deployment server).
5. Under Available host(s), click one or more forwarder hosts to add to the Selected host(s) box. This allows you to add a new Server Class.
6. In the New Server Class Name field, enter a name for the new server class.
7. Click Next near the top of the screen.
8. Select the type of data for the universal forwarder to collect. In this example, Files & Directories is selected. Click a source option:
- Files & Directories for file uploads and directory monitoring.
- TCP/UDP for network port inputs.
- Scripts for data from APIs and services.
9. Enter a File or Directory name. For example,
10. Click Next near the top of the screen.
11. In the Input Settings view, next to Source type click Automatic.
12. Click Review near the top of the screen. This view provides a summary of the data input configuration that is being used to collect data from the universal forwarder and forward to the Splunk Light instance.
13. Click Submit.
14. The File input has been created successfully displays. Click Start Searching to see the data in the Search view. This might take a few moments to display on the Search page.
To continue adding data and to learn more about searching and reporting, see:
- About adding data to Splunk Light in the Getting Started Manual.
- About Splunk Light Search and Reporting Examples and Scenarios in Search and Reporting Examples.
Forward data to Splunk Light using Linux
Check the status of forwarders in Splunk Light
This documentation applies to the following versions of Splunk® Light: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6