The Splunk Universal Forwarder is the easiest and preferred way of getting data from remote systems into the Splunk Light cloud service. The universal forwarder is a separate Splunk software product that needs to be installed and configured as a prerequisite to collect data from a remote system.
The following steps are for a default configuration of the universal forwarder to get data into the Splunk Light cloud service. In these steps, you will:
- Download and install the universal forwarder software.
- Download and install the universal forwarder credentials, which enables the forwarder to communicate with the Splunk Light cloud service.
- Configure the universal forwarder to act as a deployment client.
- Configure inputs to collect data from the host that the universal forwarder is on.
Log into the Splunk Light cloud service
Log into the Splunk Light cloud service.
- If you have Splunk Light cloud service, you can access your instance by logging into your www.splunk.com account and going to My Account > Instances and click Access Instance. The Splunk Light user interface displays.
- If you do not have Splunk Light cloud service, you must accquire an instance before continuing with these steps. Visit the Splunk Light website to learn how to try or buy Splunk Light cloud service.
Step 1: Download the universal forwarder
Download the Splunk Universal Forwarder for Linux.
1. Once you are logged into the Splunk Light Cloud user interface, click the menu at the top left of the screen to open the sidebar menu and select System > Universal Forwarder.
2. In Step 1 of the Universal Forwarder view, click Download Universal Forwarder. You are re-directed to the Splunk Universal Forwarder downloads page on www.splunk.com.
3. Click the Linux button and click the installer that is appropriate for your platform. This example uses a tar file.
4. Click Save File to download the splunkforwarder file. The full download file name is similar to splunkforwarder-<release>-f44afce176d0-Linux-ppc64.tgz.
5. Save the compressed tar file and make note of its location.
Step 2: Install the universal forwarder
Install the universal forwarder on the machine that holds, or has access to, the data you want to collect and forward to the Splunk Light cloud service.
Note: If you want to install the universal forwarder on a different machine, copy the universal forwarder package file to that machine and continue with the steps below.
1. Expand the tar file into an appropriate directory using the tar command. The default installation location is splunkforwarder in the current working directory:
|
1 |
tar xvzf splunkforwarder-<…>-Linux-x86_64.tgz |
To install into /opt/splunkforwarder, execute:
|
1 |
tar xvzf splunkforwarder-<…>-Linux-x86_64.tgz -C /opt |
2. Start the universal forwarder, including reading and accepting the license.
|
1 |
splunk start --accept-license |
Step 3: Download the universal forwarder credentials
Download the universal forwarder credentials file, which contains a certificate specific to your instance of Splunk Light cloud service. When installed, these credentials enable the forwarder to send data to the Splunk Light cloud service.
1. In the Splunk Light user interface, in the sidebar menu select System > Universal Forwarder.
2. In Step 2 click Download Universal Forwarder Credentials to download the splunkclouduf.spl file.
3. Click Save File and click Keep.
By default, the splunkclouduf.spl file is installed in the Downloads (/home/<username>/Downloads/) directory.
Step 4: Install the universal forwarder credentials
Add the universal forwarder credentials to the universal forwarder to allow forwarding to the Splunk Light cloud service.
Note: When you install the credentials file into the universal forwarder, note that the default username and password for a first-time installation of the universal forwarder is admin:changeme. To change the admin password, run the edit user command. For example: ./splunk edit user admin -password foo -auth admin:changeme.
1. Launch a shell or command prompt.
2. Go to $SPLUNK_HOME/bin and apply the universal forwarder credentials file splunkclouduf.spl to the SplunkForwarder. Enter the following command:
./splunk install app <full path to splunkclouduf.spl> -auth <username>:<password>
- <full path to splunkclouduf.spl> is the path to the directory where the splunkclouduf.spl file is located. In this example, the default Downloads directory is used.
- <username>:<password> is the username and password of an existing admin account on the universal forwarder.
For example, ./splunk install app /home/johnsmith/Downloads/splunkclouduf.spl -auth admin:changeme
Step 5: Configure the universal forwarder to be a deployment client
Configure the universal forwarder to be a deployment client. This allows you to configure data inputs on the universal forwarder from the Splunk Light cloud service, which is also the deployment server.
1. Register the universal forwarder as a deployment client of the Splunk Light cloud service. From $SPLUNK_HOME/bin, enter the following command:
./splunk set deploy-poll input-<Splunk Light cloud service hostname>:<mgmtPort>
- <Splunk Light cloud service hostname> is the cloud instance URL, less https://, such as instance.cloud.splunk.comor abc-d-12abcdefghij.cloud.splunk.com, and prepended with input-
- <mgmtPort> default is 8089
For example, ./splunk set deploy-poll input-abc-d-12abcdefghij.cloud.splunk.com:8089
2. Restart the universal forwarder. From $SPLUNK_HOME/bin, enter the following command:
./splunk restart
You should now be able to see the universal forwarder listed in the Splunk Light cloud service user interface Forwarder Management view (in the sidebar menu, select System > Forwarder Management.) This can take up to 15 minutes as the Splunk Light cloud service updates.
Step 6: Specify data inputs to forward data to Splunk Light
Specify which inputs the universal forwarder uses to collect data.
1. In the Splunk Light user interface, click Search in the top menu bar.
2. In the Search view, under Data on the right of the screen, click the Add Data button.
3. On the Add Data view, click Forward.
4. Next to Select Server Class, click New. Available host(s) are listed, which are the hostnames of the universal forwarders (now configured as deployment clients) connected to the Splunk Light cloud service (the deployment server).
5. Under Available host(s), click one or more forwarder hosts to add to the Selected host(s) box. This allows you to add a new Server Class.
6. In the New Server Class Name field, enter a name for the new server class.
7. Click Next near the top of the screen.
8. Select the type of data for the universal forwarder to collect. In this example, Files & Directories is selected. Click a source option:
- Files & Directories for file uploads and directory monitoring.
- TCP/UDP for network port inputs.
- Scripts for data from APIs and services.
9. Enter a File or Directory name. For example, /var/log
10. Click Next near the top of the screen.
11. In the Input Settings view, next to Source type click Automatic.
12. Click Review near the top of the screen. This view provides a summary of the data input configuration that is being used to collect data from the universal forwarder.
13. Click Submit.
14. The File input has been created successfully displays. Click Start Searching to see the data in the Search view. This might take a few moments to display, as the Splunk Light cloud service updates.