Splunk Universal Forwarder Series: Windows Install Validation

This series will help you as you’re working with the Splunk Universal Forwarder (UF). In this part of the tutorial, Tom will show you how to validate that the UF is checking in properly to the deployment server and making sure it’s sending logs to your Splunk environment.

  • Tom Kopchak
  • Apr 11, 2019
  • Tested on Splunk Version: 6.0+

There are a number of steps you can take to validate that the Splunk Universal Forwarder is successfully installed. We’ll separate this into two categories, what can be done on the host running the Universal Forwarder, and what can be done within Splunk.

On the UF host:

  • Validate that there are Splunk software files in the Splunk installation directory, which is typically C:\Program Files\SplunkUniversalForwarder\. If you only see an etc folder in this directory, the installation was unsuccessful
  • Validate that there is a deployment client app (generally named all_deploymentclient) in C:\Program Files\SplunkUniversalForwarder\etc\apps. This is the configuration required for the Universal Forwarder to connect to your central Splunk installation
  • You should see other apps appear in C:\Program Files\SplunkUniversalForwarder\etc\apps as the UF connects to the Deployment Server. Any apps related to outputs or Windows are ones that will be deployed from the Deployment Server and are not included by default with the UF installer, so if you see anything like that, the installation and check-in was successful.

On the Splunk instance:

  • Check the Forwarder Management interface for the Deployment Server to see if the UF shows up in the list of clients. If you don’t see the host in the list, check to make sure the UF can connect to the deployment server.
  • Search the internal logs for logs for the host: index=_internal host=<hostname>
  • Search for the host: host=<hostname> OR index=* host=<hostname>

Close off Canvas Menu