Install a Splunk forwarder on Linux

You can install a Splunk forwarder on your Linux using using three methods:

  • using a Splunk forwarder .tar file.
  • using a Splunk forwarder .deb file.
  • using a Splunk forwarder .rpm file

In this section we will show you how to install a Splunk forwarder on Ubuntu, a Debian-based Linux distrubution. First, we need to download the right software. Go to https://www.splunk.com/en_us/download/universal-forwarder.html and click the Linux button:

download splunk forwarder linux

Choose the software version for your system. We will download the 64-bit .deb version:

download splunk forwarder linux version

Open the shell and browse to the packet location. Note that .deb version can only be installed in the default location (/opt/splunk). To start the installation, run the sudo dpkg -i splunk_package_name.deb command:

install splunk linux forwarder

To start a Splunk universal forwarder, browse to the /bin directory in the /opt/splunkforwarder/ directory and run the sudo ./splunk start command:

start splunk linux forwarder

The first time you start Splunk after a new installation, you will need to accept the license agreement. Press y to accept the license and start the forwarder. You can run the sudo ./splunk status command to verify that the forwarder is indeed running:

splunk status command

Splunk tutorial

Splunk tutorial

Geek University 2022