1. Download Splunk Universal Forwarder 8.0.0.
  2. Install the Splunk Universal Forwarder by entering the following command. 
    [root@ABS]# tar -xvf splunkforwarder-8.0.0-8c86330ac18-Linux-x86_64.tgz
splunkforwarder/
splunkforwarder/share/
    Note:

    Replace the file name given in the example command with the name of the file you downloaded in step 1.

  3. Start the Splunk Universal Forwarder. 
    [root@ABS]# cd splunkforwarder/bin
[root@ABS]# ./splunk start --accept-license
  4. Add forward server details (the receiver host and port in Splunk). 
    [root@dashboard]# ./splunk add forward-server ip:port 

Splunk username: admin Password: Added forwarding to: 192.168.1.158:9997.
    Note:

    Enable the receiving port in Splunk. For example, configure port number 9997 from the previous example in your Splunk deployment.

  5. Edit the inputs.conf file on your Splunk Forwarder as shown in the following example. 
    [root@ABS]# ./splunk add monitor /opt/pingidentity/splunk/data/
Added monitor of '/opt/pingidentity/splunk/data/'.
  6. Edit the inputs.conf file on your Splunk Forwarder. 
    [root@dashboard]# cat /opt/splunkforwarder/etc/apps/search/local/inputs.conf 

[monitor:///opt/pingidentity/pingidentity/dashboard/logs/attack.log/] 

index = pi_events 
sourcetype=pi_events_source_type 
disabled = false
  7. Restart the Splunk Universal Forwarder. 
    [root@ABS]# ./splunk restart
  8. Verify if data is flowing to Splunk.

    Snapshot of data flow in Splunk

    If no data is available in Splunk, check your firewall settings.