How to configure Universal Forwarder on my persona...

ashishmaind2499 · ‎05-11-2018

I installed Splunk Universal Fwd and Splunk Enterprise on my C drive. I created a sample file and modified the inputs.conf as mentioned in one of the ans(link given below) and enabled the receiver by setting port to 9997. Do we have to modify/create outputs.conf file? I tried creating outputs.conf too..but no use. In outputs.conf I gave the server name as localhost and port as 9997. Am I missing something? Also, do we have to modify anything in distributed search? I assume my Splunk Enterprise is acting both as SH and Indexer.
Have referred to below ans but didnt got the answer
https://answers.splunk.com/answers/490343/how-to-properly-configure-universal-forwarder-loca.html#an...

jkat54 · ‎05-11-2018

Please share your inputs.conf and outputs.conf.

Also check if firewall is blocking any ports please.

xpac · ‎05-12-2018

If you're running both on the same system, you might run into trouble because, by default, both want to listen on TCP 9997.
Check if both instances actually run, you might have to change the splunkd port of the UF using server.conf.

How to configure Universal Forwarder on my personal machine where Splunk Enterprise is installed for learning purpose?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation