# Download the universal forwarder from here: http://www.splunk.com/download/universalforwarder You will need an account to download it.
# Copy it up to the servers:
for i in IPADDRESS1 IPADDRESS2 ; do scp splunkforwarder-5.0.1-143156-linux-2.6-x86_64.rpm DLopez@$i: ; done
# Install RPM: *sudo rpm -ivh splunkforwarder-5.0.1-143156-linux-2.6-x86_64.rpm*
# Start splunk to create the necessary file structure:
root@sc9vl55:/data01/home/DLopez> /etc/init.d/splunk start
Splunk> Finding your faults, just like mom.
Checking mgmt port : open
New certs have been generated in ‘/opt/splunkforwarder/etc/auth’.
Checking conf files for typos… Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)… Done
[ OK ]
# Add the forward-server: */opt/splunkforwarder/bin/splunk add forward-server 10.92.13.195:9997*. Default user and password is *admin/changeme*. By default the inputs.conf and server.conf files are created on install of rpm, this add forward-server creates the outputs.conf file.
# Change the default credentials: */opt/splunkforwarder/bin/splunk edit user admin -password YOUR_NEW_PASSWORD -auth admin:changeme*
# Test forward connection: */opt/splunkforwarder/bin/splunk list forward-server*
# Finally add the data you want to forward: */opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app%*. Where /path/to/app/logs/ is the path to application logs on the host that you want to bring into Splunk, and %app% is the name you want to associate with that type of data. This will create an inputs.conf file here: */opt/splunkforwarder/etc/apps/search/local/inputs.conf*
# Restart splunk: */etc/init.d/splunk restart*