I was using Splunk Enterprise and my license had expired but I still want to have additional inputs using Universal Forwarder.
I have looked at the several inputs.conf file and I cannot file where i would change the setting to add the new forwarder.
The only reference I can find to the Universal Forwarder is in the "\etc\deployment-apps" directory. I tried copying and renaming the directory to the hostname bit the splunkd file in the hostname still cannot connect.
there are several limits using Splunk Free instead Splunk Enterprise (for more details see at https://www.splunk.com/en_us/software/features-comparison-chart.html ) but there are no limites to receive data from Universal Forwarders.
But I think that you have some confusion, because deployment-apps is a folder that contains apps to deploy to Universal Forwarders when your Splunk Server is playing the Deployment Server role.
What's your need? do you need to take logs from the same server where Splunk is installed or from another one where Universal Forwarder is installed?
In first Case, you can take logs in the input section of Settings.
In the second case, you have to create a Technical Add-On that contains the inputs.conf that you need and manually copy or deploy it using Deployment Server into the Universal Forwarder.
For more infos, I hint to read at https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Getstartedwithgettingdatain .
Ciao and Happy New Year.
Thanks for the reply Giuseppe.
When I was under the trial license, I was installing forwarders on remote hosts and I was able to add Windows Event Logs thru Settings > Data Inputs > Forwarded Inputs > New Remote Windows Logs. But doing this thru the menus appearsto be disabled with the Free License.
I was trying to look for the appropriate inputs.conf file that contained a list of the existing hosts that I am receiving data from the Universal Forwarders so I can modify it to add a new host to monitor but I cannot locate it.
I hope my reply clarifies my situation.
Happy New Year!
the solution for your need is to create a Technical Add-On that contains the inputs.conf that you need and manually copy or deploy it using Deployment Server into the Universal Forwarder.
If you need to take Windows logs, I hint to use the Splunk TA Windows (that you can find at https://splunkbase.splunk.com/app/742/ ) where all the Windows data are ready to be taken.
The procedure is:
I think that you already configured your UF to send data to Indexer, otherwise, you have to do it.
The above procedure can also be done using you Splunk as a Deployment Server (Splunk says that you can have the Deployment Server role on the same server if you have less than 50 clients) following the documentation at https://docs.splunk.com/Documentation/Splunk/8.0.1/Updating/Aboutdeploymentserver ).