I have Installed a Splunk universal forwarder on a Windows host and started the services. But while adding the data under "Add data" in my Splunk app, I am not able to see the installed Windows machine on list of forwarders. Is that something I need to edit the inputs.conf on the forwarder? Could someone share steps to send logs from Windows machine to a Splunk server (linux)?
There are several settings that you need to configure before this works:
Install the UF software on the server where you want to collect the data from and send it to the indexer.
Configure the forwarder to connect to the indexer. The indexer listens on a receiving port for forwarded data.
You also need to configure the receiving port (for example 9997) on the indexer first (one time only): The indexer listens on a receiving port for forwarded data. See--> http://docs.splunk.com/Documentation/Splunk/6.5.1/Forwarding/Enableareceiver
On the indexer: Settings->Forwarding & Receiving->Configure Receiving or in command line: splunk enable listen <9997>
This is saved in the inputs.conf on the indexer [splunktcp://9997]
Set up forwarding on the Universal Forwarder: Configure outputs.conf [tcpout:splunk_indexer] server = ipadress:9997
You can do this in command line: splunk add forward-server indexername:9997
