In earlier how to guide we have seen step by step guide for setting up Splunk Enterprise serverSplunk installation. Now we are about to see how to setup client side by installing “Splunk forwarder” in all our client servers.

Find more Splunk Related Topics.

Step by step guide to install with Splunk Enterprise 7.0.2
Step by step guide to install with Splunk Forwarder 7.0.2
Splunk forwarder installation using Ansible
How to forward the logs from clients to Splunk Master using the forwarder
How to run a simple query from Splunk Search & Reporting

In case if you have failed to download the forwarder package get it from below URL using your already existing credentials which used for downloading the “Splunk Enterprise“.

Splunk Forwarder Download URL

While started with “Splunk Enterprise” download we have downloaded with client package now let us copy to all required servers using “scp” command.

# scp splunkforwarder-7.0.2-03bbabbd5c0f-linux-2.6-x86_64.rpm ansiclient1:/root
# scp splunkforwarder-7.0.2-03bbabbd5c0f-linux-2.6-x86_64.rpm ansiclient2:/root
# scp splunkforwarder-7.0.2-03bbabbd5c0f-linux-2.6-x86_64.rpm ansiclient3:/root

Start the installation using “rpm” command.

# rpm -ivh splunkforwarder-7.0.2-03bbabbd5c0f-linux-2.6-x86_64.rpm

[root@ansiclient1 ~]# rpm -ivh splunkforwarder-7.0.2-03bbabbd5c0f-linux-2.6-x86_64.rpm 
warning: splunkforwarder-7.0.2-03bbabbd5c0f-linux-2.6-x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 653fb112: NOKEY
Preparing... ################################# [100%]
useradd: cannot create directory /opt/splunkforwarder
Updating / installing...
1:splunkforwarder-7.0.2-03bbabbd5c0################################# [100%]
complete
[root@ansiclient1 ~]#

Once done with the installation we need to add the service to start at boot time. so whenever server reboots Splunk forwarder service will be started automatically without manual intervention. As we seen before during setting-up “Splunk enterprise” we need to agree to the Licence agreement while we start the service at the first time.

# /opt/splunkforwarder/bin/splunk enable boot-start

[root@ansiclient1 ~]# /opt/splunkforwarder/bin/splunk enable boot-start 
SPLUNK SOFTWARE LICENSE AGREEMENT

THIS SPLUNK SOFTWARE LICENSE AGREEMENT ("AGREEMENT") GOVERNS THE LICENSING, 
INSTALLATION AND USE OF SPLUNK SOFTWARE. BY DOWNLOADING AND/OR INSTALLING 
SPLUNK SOFTWARE: (A) YOU ARE INDICATING THAT YOU HAVE READ AND UNDERSTAND THIS 
AGREEMENT, AND AGREE TO BE LEGALLY BOUND BY IT ON BEHALF OF THE COMPANY, 
GOVERNMENT, OR OTHER ENTITY FOR WHICH YOU ARE ACTING (FOR EXAMPLE, AS AN 
Splunk Software License Agreement 09.26.2017 1

Do you agree with this license? [y/n]: y

This appears to be your first time running this version of Splunk.
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.
[root@ansiclient1 ~]#

Once done with the installation “Splunk Forwarder” service will not start by default, let us check the status and start the service.

# systemctl status splunk
# systemctl start splunk

[root@ansiclient1 ~]# systemctl start splunk
[root@ansiclient1 ~]# 
[root@ansiclient1 ~]# systemctl status splunk
● splunk.service - SYSV: Splunk indexer service
Loaded: loaded (/etc/rc.d/init.d/splunk; bad; vendor preset: disabled)
Active: active (running) since Fri 2018-03-09 10:00:23 IST; 4s ago
Docs: man:systemd-sysv-generator(8)
Process: 2597 ExecStop=/etc/rc.d/init.d/splunk stop (code=exited, status=0/SUCCESS)
Process: 2638 ExecStart=/etc/rc.d/init.d/splunk start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/splunk.service
├─2664 splunkd -p 8089 start
└─2667 [splunkd pid=2664] splunkd -p 8089 start [process-runner]

Mar 09 10:00:22 ansiclient1.oel7.local splunk[2638]: Done
Mar 09 10:00:22 ansiclient1.oel7.local splunk[2638]: Checking default conf files for edits...
Mar 09 10:00:22 ansiclient1.oel7.local splunk[2638]: Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.0.2-03bbabbd5c0f-linux-2.6-x...-manifest'
Mar 09 10:00:23 ansiclient1.oel7.local splunk[2638]: [ OK ]
Mar 09 10:00:23 ansiclient1.oel7.local splunk[2638]: All installed files intact.
Mar 09 10:00:23 ansiclient1.oel7.local splunk[2638]: Done
Mar 09 10:00:23 ansiclient1.oel7.local splunk[2638]: All preliminary checks passed.
Mar 09 10:00:23 ansiclient1.oel7.local splunk[2638]: Starting splunk server daemon (splunkd)...
Mar 09 10:00:23 ansiclient1.oel7.local splunk[2638]: Done
Mar 09 10:00:23 ansiclient1.oel7.local systemd[1]: Started SYSV: Splunk indexer service.
Hint: Some lines were ellipsized, use -l to show in full.
[root@ansiclient1 ~]#

That’s it we have successfully installed with a Splunk Forwarder (Client) which will push the logs to Splunk receiver (Splunk Enterprise).

In upcoming guide let us see how to forward the logs from clients to Splunk Master using the forwarder.

jos on How to Configure Sudo email alertMarch 4, 2022
Hi! Some way to send commands write as root by email? Thanks!
paul on Monitoring Proxmox with InfluxDB and Grafana in 4 Easy stepsMarch 1, 2022
Tried 12966 per your example, got error "failed to import dashboard."
Anonymous on Migrate existing Iptables to Nftables in RHEL8/CentOSFebruary 27, 2022
I followed the procedures and successfully loaded some weird 8081 port configurations needed for the app, however I discovered it…
sy on Install Ansible AWX on Kubernetes in 5 minutesFebruary 17, 2022
tried many times - followed all steps but was unable to setup custom context I always get -> The connection…
Faraz Ahmed on Prometheus with Grafana for Linux server monitoring in 5 easy stepsFebruary 7, 2022
Hello Babin Lonston, Your tutorial is very helpful to me to Install the prometheus and nodeexporter on the server. Can…