Splunk Enterprise Security

How to send log file by using Universal Forwarder



The following process variable logs are created in my system.

Time | Target | Variable | Status
00:00:00 1 99 On-line
00:00:01 2 89 On-line

01:01:03 10 76 Off-line

I want to send all process variable logs to Splunk's SIEM by using Universal Forwarder. However, I don't know how to set-up its configuration to send log file. Could you please tell me how I can set-up it?


0 Karma


I assume you want to monitor the file and send its content to SIEM? You will need to create an inputs.confif it is not already created, and then put it into $SPLUNK_HOME/etc/system/local/

(1) Add UF server for the host
(2) Put full path of the file you want to monitor
(3) Define the sourcetype you want it to have an the index you want it to go to..

Last but not the least, make sure to restart Splunk UF after all these changes so they could take effect. Also needed is an outputs.conf and make sure it points to the indexer if you don't already have one.

More details can be found here:

Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...