1. Download Splunk Universal Forwarder 8.0.0. For more information, see Splunk® Universal Forwarder Manual
  2. Install the Splunk Universal Forwarder by entering the following command.
    [root@ABS]# tar -xvf splunkforwarder-8.0.0-8c86330ac18-Linux-x86_64.tgz

    Replace the file name given in the example command with the name of the file you downloaded in step 1.

  3. Start the Splunk Universal Forwarder.
    [root@ABS]# cd splunkforwarder/bin
    [root@ABS]# ./splunk start --accept-license
  4. Add forward server details (the receiver host and port in Splunk).
    [root@dashboard]# ./splunk add forward-server ip:port 
    Splunk username: admin Password: Added forwarding to:

    Enable the receiving port in Splunk. For example, configure port number 9997 from the previous example in your Splunk deployment.

  5. Edit the inputs.conf file on your Splunk Universal Forwarder as shown in the following example.
    [root@ABS]# ./splunk add monitor /opt/pingidentity/splunk/data/
    Added monitor of '/opt/pingidentity/splunk/data/'.
  6. Edit the inputs.conf file on your Splunk Universal Forwarder.
    [root@dashboard]# cat /opt/splunkforwarder/etc/apps/search/local/inputs.conf 
    index = pi_events 
    disabled = false
  7. Restart the Splunk Universal Forwarder.
    [root@ABS]# ./splunk restart
  8. Verify if data is flowing to Splunk on the Splunk Dashboard.

    Attack data captured in Splunk

    If no data is available in Splunk, check your firewall settings.