Solved: Universal Forwarder Stanza

iherb_0718 · ‎06-23-2021

Universal Forwarder installed on a Windows server using all default settings.

Where can I find the stanza that has the types of events it is logging so that I can validate it received th

richgalloway · ‎06-23-2021

No one stanza has that information. The best way, IMO, to see what a UF is sending to the indexers is use btool. On the server running the UF, run this CLI command:

C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe btool -debug inputs list

You will need the admin credentials you defined when you installed the forwarder. It will then spit out a list of all of its input stanzas and associated settings.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-23-2021

No one stanza has that information. The best way, IMO, to see what a UF is sending to the indexers is use btool. On the server running the UF, run this CLI command:

C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe btool -debug inputs list

You will need the admin credentials you defined when you installed the forwarder. It will then spit out a list of all of its input stanzas and associated settings.

---
If this reply helps you, Karma would be appreciated.

venkatasri · ‎06-23-2021

Hi @iherb_0718

Open cmd line and navigate to %SPLUNK_HOME%\bin in Windows and execute the following command to find the input stanzas being configured by default.

splunk btool inputs list

---

An upvote would be appreciated and accept solution if it helps!

Universal Forwarder Stanza

configuration

Enterprise Security Content Update (ESCU) v3.54.0

Using Machine Learning for Hunting Security Threats

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...