The Splunk Universal Forwarder is the easiest and preferred way of getting data from remote systems into Splunk Light, also known as forwarding data to Splunk Light. The universal forwarder is a separate Splunk software product that needs to be installed and configured as a prerequisite to collect data from a remote system.

The following steps are for a default configuration of the universal forwarder to get data into Splunk Light. In these steps, you will:

  • Configure Splunk Light to receive data from the universal forwarder.
  • Download and install the universal forwarder software.
  • Configure the universal forwarder to send data to the Splunk Light instance.
  • Configure the universal forwarder to act as a deployment client.
  • Configure inputs to collect data from the host that the universal forwarder is on.

Log into Splunk Light

Log into Splunk Light, also referred to as your Splunk Light instance.

  • If you have Splunk Light installed, log into your Splunk Light instance to access the user interface.
  • If you do not have Splunk Light, you must provision an instance first before continuing with these steps. Visit the Splunk Light website to learn how to try or buy Splunk Light.

Step 1: Configure Splunk Light to receive data from the universal forwarder

Configure the Splunk Light instance to receive data from the universal forwarder.

1. Once you are logged into the Splunk Light user interface, click the menu at the top left of the screen to open the sidebar menu and select Data > Data receiving.

2. Click Add new.

3. In the Listen on this port field, enter the port number that you want the Splunk Light instance to listen on and click Save.

  • The TCP port is also known as the receiving port. The default port is 9997.
  • The Splunk Light instance begins listening on the port that you specified.

Step 2: Download the universal forwarder

Download the Splunk Universal Forwarder for Linux from Splunk.com using the link below. Choose the installer that matches the platform of the machine that will forward data to your Splunk Light instance.

1. From a web browser, go to: http://www.splunk.com/en_us/download/universal-forwarder.html

2. Click the Linux button and click the installer that is appropriate for your platform. This example uses a tar file.

3. Click Save File to download the splunkforwarder file. The full download file name is similar to splunkforwarder-<release>-f44afce176d0-Linux-ppc64.tgz.

4. Save the tar file and make note of the location for where you save it.

Step 3: Install the universal forwarder

Install the universal forwarder on the machine that holds, or has access to, the data you want to collect and forward to Splunk Light.

Note: If you want to install the universal forwarder on a different machine, copy the universal forwarder package file to that machine and continue with the steps below.

1. Expand the tar file into an appropriate directory using the tar command. The default installation location is splunkforwarder in the current working directory:

To install into /opt/splunkforwarder, execute:

2. Start the universal forwarder, including reading and accepting the license.

Step 4: Configure the universal forwarder to send data to Splunk Light

Configure the universal forwarder to send data to the Splunk Light instance.

1. Launch a shell or command prompt.

2. Go to $SPLUNK_HOME/bin enter the following command:

./splunk add forward-server <host>:<port> -auth <username>:<password>

  • <host> is the host name or IP address of the Splunk Light instance that will receive the data. In this example, the hostname is mycompany.
  • <port> is the receiving port you set on the Splunk Light instance. The default port is 9997.
  • <username>:<password> are the username and password used to log into the universal forwarder. In this example, the username and password are admin:changeme.

For example, ./splunk add forward-server mycompany:9997 -auth admin:changeme

Step 5: Configure the universal forwarder to be a deployment client

Configure the universal forwarder to be a deployment client. This allows you to configure data inputs on the universal forwarder from your Splunk Light instance, which is the deployment server.

1. Register the universal forwarder as a deployment client of the Splunk Light instance, the deployment server. From $SPLUNK_HOME/bin, enter the following command:

./splunk set deploy-poll <host>:<mgmtPort>

  • <host> is the hostname or IP address of the Splunk Light instance. In this example, the hostname is mycompany.
  • <mgmtPort> is the management port of the Splunk Light instance. The default is 8089.

For example, ./splunk set deploy-poll mycompany:8089

2. Restart the universal forwarder. From $SPLUNK_HOME/bin, enter the following command:

./splunk restart

You should see the universal forwarder listed in the Splunk Light user interface Forwarder Management view (in the sidebar menu, select System > Forwarder Management.) This can take a few minutes to update.

Step 6: Specify data inputs to forward data to Splunk Light

Specify which data inputs the universal forwarder uses to collect data.

1. In the Splunk Light user interface, click Search in the top menu bar.

2. In the Search view, under Data on the right of the screen, click the Add Data button.

3. On the Add Data view, click Forward.

4. Next to Select Server Class, click New.

  • Available host(s) are listed, which are the hostnames of the universal forwarders (deployment clients) connected to the Splunk Light instance (deployment server).

5. Under Available host(s), click one or more forwarder hosts to add to the Selected host(s) box. This allows you to add a new Server Class.

6. In the New Server Class Name field, enter a name for the new server class.

7. Click Next near the top of the screen.

8. Select the type of data for the universal forwarder to collect. In this example, Files & Directories is selected.

  • Files & Directories for file uploads and directory monitoring.
  • TCP/UDP for network port inputs.
  • Scripts for data from APIs and services.

9. Enter a File or Directory name. For example, /var/log

10. Click Next near the top of the screen.

11. In the Input Settings view, next to Source type click Automatic.

12. Click Review near the top of the screen. This view provides a summary of the data input configuration that is being used to collect data from the universal forwarder and forward to the Splunk Light instance.

13. Click Submit.

14. The File input has been created successfully displays. Click Start Searching to see the data in the Search view. This might take a few moments to display on the Search page.