This took me way longer than I would’ve thought, mostly due to horrible documentation. Here’s my TL;DR version:
- Sign up for Splunk Cloud
- Download and install the forwarder binary from here.
- Log in here and note the URL of your Splunk instance:
In the above picture, assume the URL is https://prd-p-jxxxxxxxx.splunk6.splunktrial.com. - Make sure your instances can connect to port tcp/9997 on your input host. Your input host is the hostname from above with “input-” prepended to it. So in our example, the input host is input-prd-p-jxxxxxxxx.splunk6.splunktrial.com. To ensure you can connect, try
telnet input-prd-p-jxxxxxxxx.splunk6.splunktrial.com 9997. If it can’t connect you may need to adjust your firewall rules / Security groups to allow outbound tcp/9997
Below are the actual commands I used to get data into our Splunk Cloud trial instance:
$ curl -O http://download.splunk.com/products/splunk/releases/6.2.0/universalforwarder/linux/splunkforwarder-6.2.0-237341-linux-2.6-amd64.deb $ sudo dpkg -i splunkforwarder-6.2.0-237341-linux-2.6-amd64.deb $ sudo /opt/splunkforwarder/bin/splunk add forward-server input-prd-p-jxxxxxxxx.splunk6.splunktrial.com:9997 This appears to be your first time running this version of Splunk. Added forwarding to: input-prd-p-jxxxxxxxx.splunk6.splunktrial.com:9997. $ sudo /opt/splunkforwarder/bin/splunk add monitor '/var/log/postgresql/*.log' Added monitor of '/var/log/postgresql/*.log'. $ sudo /opt/splunkforwarder/bin/splunk list forward-server Splunk username: admin Password: Active forwards: input-prd-p-jxxxxxxxx.splunk6.splunktrial.com:9997 Configured but inactive forwards: None $ sudo /opt/splunkforwarder/bin/splunk list monitor Monitored Directories: [No directories monitored.] Monitored Files: /var/log/postgresql/*.log $ sudo /opt/splunkforwarder/bin/splunk restart
Evan Hoffman's Blog 