How to do it...

Follow these steps to configure the Splunk Forwarder to forward data and the Splunk indexer to receive data:

1. On the server with the Universal Forwarder installed, open a command prompt if you are a Windows user or a terminal window if you are a Unix user.
2. Change to the $SPLUNK_HOME/bin directory, where $SPLUNK_HOME is the directory in which the Splunk forwarder was installed.
3. For Unix, the default installation directory will be /opt/splunkforwarder/bin. For Windows, it will be C:/Program Files/SplunkUniversalForwarder/bin.

If using Windows, omit ./ in front of the Splunk command in the upcoming steps.

1. Start the Splunk forwarder, if not already started, using the following command:

./splunk start   

1. Accept the license agreement.
2. Enable the Universal Forwarder to autostart, using the following command:

./splunk enable boot-start   

1. Set the indexer that this Universal Forwarder will send its data to. Replace the host value with the value of the indexer as well as the username and password for the Universal Forwarder, using the following command:

    ./splunk add forward-server <host>:9997 -auth <username>:<password>  

1. The username and password to log in to the forwarder (default is admin:changeme) is <username>:<password>.

Additional receiving indexers can be added in the same way by repeating the command in the previous step with a different indexer host or IP. Splunk will automatically load balance the forwarded data if more than one receiving indexer is specified in this manner. Port 9997 is the default Splunk TCP port and should only be changed if it cannot be used for some reason.

1. On the receiving Splunk indexer servers, log in to your receiving Splunk indexer server. From the home launcher, in the top right-hand corner, click on the Settings menu item and then select the Forwarding and receiving link:
   
2. Click on the Configure receiving link:
   
3. Click on New.
4. Enter 9997 in the Listen on this port field:
   

1. Click on Save and restart Splunk. The Universal Forwarder is installed and configured to send data to your Splunk server, and the Splunk server is configured to receive data on the default Splunk TCP port 9997.