Configuring Splunk Universal Forwarder

Apr 21, 2025

Configure the Universal Forwarder Using Configuration Files - Splunk Documentation

Overview

The documentation provides detailed instructions on how to configure the Splunk Universal Forwarder using configuration files. It covers finding, editing, and managing these configuration files to control data collection and forwarding.

Key Configuration Files

  • inputs.conf: Controls how the forwarder collects data.
  • outputs.conf: Controls how the forwarder sends data to an indexer or other forwarder.
  • server.conf: Used for connection and performance tuning.
  • deploymentclient.conf: Used for connecting to a deployment server.

Steps to Configure

  1. Find the Configuration Files

    • Navigate to outputs.conf in $SPLUNK_HOME/etc/system/local/ to locate the Universal Forwarder configuration files.

  2. Edit the Configuration Files

    • You can edit the files using a text editor, command line, or Splunk Deployment Server.
    • To prevent errors, use the CLI where possible.
    • The forwarder writes configurations for forwarding data to outputs.conf.

Editing Through Command Line

  • General Syntax: ./splunk <command> [<object>] [--<parameter> <value>]...
  • Example Commands:
    • To connect to a receiving indexer: 
      ./splunk add forward-server <host name>:<listening port>
      Example: ./splunk add forward-server idx1.mycompany.com:9997
    • To connect to a deployment server: 
      ./splunk set deploy-poll <host name>:<management port>
      Example: ./splunk set deploy-poll ds1.mycompany.com:8089
    • To configure a data input: 
      ./splunk add monitor /var/log
      This command makes the forwarder monitor the /var/log directory.

Additional Information

  • Restart the Universal Forwarder: Necessary after editing configuration files.
  • Documentation Versions Supported: Applies to multiple versions of the Universal Forwarder from 8.2.6 to 9.4.1.

Support and Resources

  • Support Portal: Submit case tickets.
  • Splunk Answers: Community support.
  • Splunk Documentation: Guides and manuals for further information.
  • Training & Certification: To become a certified Splunk expert.

Conclusion

This guide is an essential tool for managing how the Splunk Universal Forwarder is configured to collect and forward data. It provides insights on editing configuration files using more error-proof methods like the command line interface.

View note source

https://docs.splunk.com/Documentation/Forwarder/9.4.1/Forwarder/Configuretheuniversalforwarder