Splunk Forwarder

Install

As of Splunk 9.1, the universal forwarder installs a new least privileged user called splunkfwd. This means that the user name for Splunk Enterprise, “Splunk”, and your universal forwarder user name, “spunkfwd”, will be different. We recommend that you implement the splunkfwd user, however, if your system requires that your Splunk Enterprise and universal forwarder names be identical, see Manage a Linux least-privileged user in this manual.

1. Download the forwarder

wget -O splunkforwarder-9.1.2-b6b9c8185839-linux-2.6-amd64.deb "<https://download.splunk.com/products/universalforwarder/releases/9.1.2/linux/splunkforwarder-9.1.2-b6b9c8185839-linux-2.6-amd64.deb>"

2. Login as ROOT to the machine on which you want to install the universal forwarder.
3. Create the Splunk user and group.

useradd -m splunkfwd
groupadd splunkfwd

4. Install the Splunk software, as described in the installation instructions for your platform in Installation instructions. Create the $SPLUNK_HOME directory wherever desired.

mkdir /opt/splunkforwarder
cd /opt/splunkforwarder

5. Make sure the splunkforwarder package is present in $SPLUNK_HOME:

dpkg -i splunkforwarder-9.1.2-b6b9c8185839-linux-2.6-amd64.deb

6. Run the chown command to change the ownership of the splunk directory and everything under it to the user that will run the software.

chown -R splunkfwd:splunkfwd /opt/splunkforwarder

If you change users, you must run this command again If the chown binary on your system does not support changing group ownership for files, you can use the chgrp command instead. See the Man pages on your system for additional information on changing group ownership.

7. Autostart

/opt/splunkforwarder/bin/splunk enable boot-start -systemd-managed 1 -user splunkfwd -group splunkfwd

8. Switch to ROOT or SUDO and run

/opt/splunkforwarder/bin/splunk start --accept-license

9. Add the server to forward to

/opt/splunkforwarder/bin/splunk add forward-server 192.168.50.128:9997

10. add log files to send to the indexer

/opt/splunkforwarder/bin/splunk add monitor "log location"

Uninstall

If you are not able to use package management commands, or you run HP-UX, use these instructions to uninstall the software manually.

1. Stop the forwarder.

$SPLUNK_HOME/bin/splunk stop

2. Find any lingering processes that contain “splunk” in their name and use the kill to end them.

kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`

3. Remove the universal forwarder installation directory, $SPLUNK_HOME

rm -rf /opt/splunkforwarder

4. (Optional) Delete any splunk users and groups that you created, if they exist.

userdel splunk \\
groupdel splunk

Note: Where the service is configured to run on *nix under systemd, use the following commands: