Getting Data In

Configuring Apache log data forwarding


I have a linux web server (Ubuntu 10.04 x64) that I would like to forward apache log data from. I have installed the universal forwarder. How do I configure it to forward log data to my splunk server?

If this is well documented, I apologize. I'm having difficulty finding this info.



Minimally, in /opt/splunkforwarder/etc/system/local




sourcetype = access_log

On the receiving end, you'll need to activate a corresponding receiving port under Management -> Forwrding/Receiving. (In this case, and by default, 9997.)


You can use a wild card, and that's better than a separate monitor stanza for each file. If you need something more sophisticated, you can add either a whitelist or a blacklist to the spec.

There is a new manual called "Getting Data In." Start here ( in the manual for help with inputs.conf

0 Karma


for the monitor, can I specify a wildcard in the access_log path (like /path/to/*.log, or does a separate [monitor] line need to be specified for each access_log?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!