Configure Receiving in Splunk Server
Login to your Splunk Server. See how to install Splunk Enterprise here. Click on the Settings tab > Forwarding and receiving > Receive Data. Configure receiving, and click Add new “Set up this Splunk instance to receive data from forwarder(s).”
The spunk instance listens on port 9997 to receive data from forwarder(s). Enter 9997 and click the Save button.
How to create a new index in the Splunk server
Next, create a new index. Click on the Settings > Indexes > New Index.
Click on the New Index button.
In the Index Name, Name your index. Leave everything else as default and click the Save button.
How to Download Splunk Universal Forwarder
Now, log in to your Splunk.com account, where you downloaded Splunk Enterprise. See how to install Splunk Enterprise here. Download the latest Splunk Universal Forwarder based on your Operating System. For this example, I downloaded Windows 10, 64-bit. Click on the Download Now button.
Check the box to agree to the Agreement, and click the Access Program button.
Install a Window Universal Forwarder on a Windows Machine
Copy the Universal forwarder to the intended machine if this is not the machine from which you intend to forward logs. Double-click the installer to start the installation process.
Click on the View the License Agreement (Optional). Check the box next to “Check this box to accept the License Agreement“, Select “An on-premises Splunk Enterprise instance” and click the Next button.
Create a Username and Password. You can check the box next to Generate a random password to generate a random password (optional).
Enter the host IP of your Deployment Server. Enter the port number. The default is 8089 and click the Next button.
Enter the host IP of your Receiving indexer (same as your Deployment Server). Enter the port number; the default is 9997, and click the Next button.
Click the Install button and wait for the installation to complete.
The installation was completed successfully. Click the Finish button.
How to Input Data to Splunk
Next, we need to input data to the Splunk Server. Splunk has 3 methods of adding data. By uploading, Monitor, and forwarder. For this lab, we will configure Local Input and Forwarded Input. Click on Settings > Data inputs
Click on Edit to edit the Local Event log collection.
Select which logs you want to receive. For this example, I selected Add all. Click the Save button.
Let’s configure the Forwarded Input. Click on Add New to add new Window Event Logs, as shown below.
Here is the list of forwarders (the machines you installed the Universal Forwarder on). Click on the hostname to add to the selected host(s). Or click add all to add all the available hosts. Enter a name in the “New Server Class Name.” Click the Next button on the upper right side.
Select which logs you want to receive. For this example, I selected add all. Click the Next button.
Leave the Index as default and click the Review button.
Here is the Review page. Review your choices and click the Submit button.
The data input was successful, and the event log input was created successfully. Here, you can add more data by clicking the Add More Data button.
Let’s check if data is coming in using the Splunk search app. Under Apps, click on Search & Reporting > Data Summary.
Data has started coming in. Click on Hosts to see the Host/Forwarder(s) here.
Click on Sources to see the sources of the events generated.
In our Next lab, we will learn how to search data in Splunk using the Splunk Search App. Click here to learn.
Reference
Splunk® Universal Forwarder
Splunk Universal ForwarderForwarder Manual
About The Author
