https://community.splunk.com/t5/Getting-Data-In/windows-universal-forwarder-localhost/m-p/702106#M116144 <P>I'm trying to let Splunk Enterprise log some creation of a user on the same system as where Splunk is installed.</P><P>My Splunk-version is 9.3.1. Alongside with this install, I've installed the latest Universal Forwarder (win) (on localhost 127.0.0.1).<BR />When installing:<BR />- I skip the SSL page<BR />- click "Next"<BR />- select "Local System"<BR />- click "Next"<BR />- check all items under "Windows Log Events"<BR />- click "Next"<BR />- generate an admin account and password<BR />- leave the "Deployment Server"-settings empty<BR />- enter "127.0.0.1:9997" as Host and port for "Receiving Indexer"<BR />- finish the installer</P><P>Then I create a user (net user /add &lt;user&gt;) in CMD.<BR />After this step I return to Splunk Search and enter * as search criteria but nothing is found. Even when I enter the username (I added) the software finds nothing.</P><P>Can someone tell me what I'm doing wrong or what the issue can be?<BR />Thanks!<BR /><BR />Gerd</P> Wed, 16 Oct 2024 18:41:03 GMT gmoors 2024-10-16T18:41:03Z https://community.splunk.com/t5/Getting-Data-In/windows-universal-forwarder-localhost/m-p/702106#M116144 <P>I'm trying to let Splunk Enterprise log some creation of a user on the same system as where Splunk is installed.</P><P>My Splunk-version is 9.3.1. Alongside with this install, I've installed the latest Universal Forwarder (win) (on localhost 127.0.0.1).<BR />When installing:<BR />- I skip the SSL page<BR />- click "Next"<BR />- select "Local System"<BR />- click "Next"<BR />- check all items under "Windows Log Events"<BR />- click "Next"<BR />- generate an admin account and password<BR />- leave the "Deployment Server"-settings empty<BR />- enter "127.0.0.1:9997" as Host and port for "Receiving Indexer"<BR />- finish the installer</P><P>Then I create a user (net user /add &lt;user&gt;) in CMD.<BR />After this step I return to Splunk Search and enter * as search criteria but nothing is found. Even when I enter the username (I added) the software finds nothing.</P><P>Can someone tell me what I'm doing wrong or what the issue can be?<BR />Thanks!<BR /><BR />Gerd</P> Wed, 16 Oct 2024 18:41:03 GMT https://community.splunk.com/t5/Getting-Data-In/windows-universal-forwarder-localhost/m-p/702106#M116144 gmoors 2024-10-16T18:41:03Z https://community.splunk.com/t5/Getting-Data-In/windows-universal-forwarder-localhost/m-p/702108#M116145 <P>Never mind...</P><P>I've <STRONG>stopped</STRONG> the universal forwarder-software, waited some second and <STRONG>restarted</STRONG> the forwarder.<BR />After this <STRONG>restart</STRONG> I performed a search (*)&nbsp; and it immediately gave me some results.</P><P>I then created a user in the PowerShell, and let Splunk search for the username, resulting in some lines regarding the user.</P><P>So... eventually it works as it should...</P><P>&nbsp;</P><P>With kind regards<BR />Gerd</P> Wed, 16 Oct 2024 19:16:32 GMT https://community.splunk.com/t5/Getting-Data-In/windows-universal-forwarder-localhost/m-p/702108#M116145 gmoors 2024-10-16T19:16:32Z https://community.splunk.com/t5/Getting-Data-In/windows-universal-forwarder-localhost/m-p/702109#M116146 <P>First and foremost - why are you installing a UF when you already have a full Splunk instance? Just add input(s) there.</P> Wed, 16 Oct 2024 19:20:25 GMT https://community.splunk.com/t5/Getting-Data-In/windows-universal-forwarder-localhost/m-p/702109#M116146 PickleRick 2024-10-16T19:20:25Z https://community.splunk.com/t5/Getting-Data-In/windows-universal-forwarder-localhost/m-p/702111#M116147 <P>Ooh - that isn't necessary?<BR />Sorry, I'm new to Splunk.</P><P>I was watching some tutorial on Udemy regarding Splunk and was following the guy who did the demo.<BR />After installing Splunk Enterprise, he started talking about the "universal forwarder" and how to install it. I thought it was part of the whole...</P><P>So it wasn't required?</P><P>&nbsp;</P> Wed, 16 Oct 2024 19:26:32 GMT https://community.splunk.com/t5/Getting-Data-In/windows-universal-forwarder-localhost/m-p/702111#M116147 gmoors 2024-10-16T19:26:32Z https://community.splunk.com/t5/Getting-Data-In/windows-universal-forwarder-localhost/m-p/702113#M116149 <P>Universal Forwarder is a lighweight component you typically install on remote machines to - as the name suggests - forward the data to your "main part" of Splunk installation. But if you already have full Splunk instance installed you don't need a UF (there are some border cases when such setup can be useful but makes the whole environment overly complicated).</P><P>So if you're just starting with Splunk, it's enough to add local windows event log inputs on the Splunk server.</P> Wed, 16 Oct 2024 19:32:28 GMT https://community.splunk.com/t5/Getting-Data-In/windows-universal-forwarder-localhost/m-p/702113#M116149 PickleRick 2024-10-16T19:32:28Z https://community.splunk.com/t5/Getting-Data-In/windows-universal-forwarder-localhost/m-p/702114#M116150 <P>Thanks for the clear info!</P> Wed, 16 Oct 2024 19:33:39 GMT https://community.splunk.com/t5/Getting-Data-In/windows-universal-forwarder-localhost/m-p/702114#M116150 gmoors 2024-10-16T19:33:39Z