How to use Splunk Forwarder in my personal laptop for testing purpose and forward the data to Splunk from a monitored local text log file kept in a directory. Please note that I have Splunk and Splunk Forwarder on the same laptop. If this is possible, please guide me. I have used Files and Directory option in Splunk to get the data in indexers and search it. It is working as expected.
This is just for visualizing splunk forwarder forwarding data to Splunk. Nothing else.
If Splunk is running locally on the machine you are looking to ingest data from, you do not need a separate forwarder. You'll just need to go into your Splunk Enterprise application, and create a "File Monitor" on the files you would like to ingest on that machine.
Hey @gagandeepbhatti, if they solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!
If Splunk is running locally on the machine you are looking to ingest data from, you do not need a separate forwarder. You'll just need to go into your Splunk Enterprise application, and create a "File Monitor" on the files you would like to ingest on that machine.
Thank you for your reply!!
I have tried that and its working fine with Splunk Enterprise. I am able to put the data in indexers and search it.
Does it mean that I can use Splunk Forwarder(s) in servers only? I wanted to do a POC for checking configuration of Splunk Forwarder and its working successfully for me or not.
Sorry gagandeepbhatti, I'm not exactly sure what you're asking.
Splunk Enterprise is a full installation, that allows you to receive, parse, index, and search through data.
Splunk Universal Forwarders are a lightweight installation that is solely meant to send data from a device (could be a laptop, a server, whatever).
If you are ingesting local files (files and splunk enterprise live on the same machine), you do not need to install a forwarder on that machine.
If the files you want to search live on a machine that is separate from the Splunk Enterprise installation, then you will need to install a forwarder on the source machine. Documentation to install and setup is here: http://docs.splunk.com/Documentation/Forwarder/6.6.3/Forwarder/Configuretheuniversalforwarder
Thank you for your reply.
I will test Splunk Forwarder on a server in that case.