---
title: Installing and configuring the Splunk Universal Forwarder
description: Install and configure the Splunk Universal Forwarder to collect attack data and forward it to the Splunk server.
component: pingintelligence
version: 5.2
page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_splunk_universal_forwarder
canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_splunk_universal_forwarder.html
revdate: April 3, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
  example: Example:
  example-2: Example:
  troubleshooting: Troubleshooting:
---

# Installing and configuring the Splunk Universal Forwarder

Install and configure the Splunk Universal Forwarder to collect attack data and forward it to the Splunk server.

## About this task

To install and configure Splunk Universal Forwarder:

## Steps

1. Download Splunk Universal Forwarder 8.0.0. For more information, see [Splunk® Universal Forwarder Manual](https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/Abouttheuniversalforwarder).

2. Install the Splunk Universal Forwarder by entering the following command:

   ```
   [root@ABS]# tar -xvf splunkforwarder-8.0.0-8c86330ac18-Linux-x86_64.tgz
   splunkforwarder/
   splunkforwarder/share/
   ```

   |   |                                                                                                        |
   | - | ------------------------------------------------------------------------------------------------------ |
   |   | Replace the file name given in the example command with the name of the file you downloaded in step 1. |

3. Start the Splunk Universal Forwarder.

   ```
   [root@ABS]# cd splunkforwarder/bin
   [root@ABS]# ./splunk start --accept-license
   ```

4. Add forward server details (the receiver host and port in Splunk).

   ### Example:

   ```
   [root@dashboard]# ./splunk add forward-server ip:port

   Splunk username: admin Password: Added forwarding to: 192.168.1.158:9997.
   ```

   |   |                                                                                                                                   |
   | - | --------------------------------------------------------------------------------------------------------------------------------- |
   |   | Enable the receiving port in Splunk. For example, configure port number 9997 from the previous example in your Splunk deployment. |

5. Edit the `inputs.conf` file on your Splunk Universal Forwarder as shown in the following example.

   ### Example:

   ```
   [root@ABS]# ./splunk add monitor /opt/pingidentity/splunk/data/
   Added monitor of '/opt/pingidentity/splunk/data/'.
   ```

6. Edit the `inputs.conf` file on your Splunk Universal Forwarder.

   ```
   [root@dashboard]# cat /opt/splunkforwarder/etc/apps/search/local/inputs.conf

   [monitor:///opt/pingidentity/pingidentity/dataengine/logs/attack.log/]

   index = pi_events
   sourcetype=pi_events_source_type
   disabled = false
   ```

7. Restart the Splunk Universal Forwarder.

   ```
   [root@ABS]# ./splunk restart
   ```

8. Verify if data is flowing to Splunk on the Splunk Dashboard.

   ![A screenshot of attack data captured in Splunk.](../_images/ckm1576571053694.png)

   ### Troubleshooting:

   If no data is available in Splunk, check your firewall settings.