Can someone please let me know the step by step pr...

anuj1630 · ‎08-01-2017

I have some logs in my localhost which i need to push to Splunk using the forwarder. Please help.

woodcock · ‎08-01-2017

We need WAY more information. Do you have an already-functioning Indexing Tier or are you using an All-in-one instance? If the latter, is this same instance the forwarder, too? Do you have a Deployment Server? Do you have other Windows forwarders already working (or is the first one)? What have you tried?

gcusello · ‎08-01-2017

Hi anuj1630,
if you have not many Forwarders, you can follow the guided installation procedure: it asks to insert the Certificate location, the Deployment Server, the Indexer and Windows logs:

Certificate can be blank (if you havent it). Deployment Server is very useful and I suggest to use it: to do this you have to insert the Deployment Server address and port (8089 usually), if instead you're only making a test, you don't need it.
Indexer is the Indexer to send log, you have to insert the Indexer address and port (9997 usually), if you have more than one Indexers, you can configure only one indexer in the guided procedure, the others must be added by CLI (%SPLUNK_HOME\bin\splunk add forward-server xx.xx.xx.xx:9997).
About Windows logs, I suggest to not configure them in this guided procedure and install the Splunk_TA_Windows.

If instead you have many Forwarders to configure, I suggest to set only Deployment Server and deploy a TA with Indexers (outputs.conf file).

I hope to be clear.

Bye.
Giuseppe

Can someone please let me know the step by step process of configuring the Splunk Universal Forwarder for Windows?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!