Configuring the Universal Forwarder

  1. Complete the following steps on the computer that is running the VIP Report Streaming Service reference client to configure your Splunk Universal Forwarder:
  2. Using a standard text editor, create a text file named
    props.conf
    . Copy the following text into that file and save it:
    # Version 7.3.0 [splunkd] EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*) \s+(?P<component>[^ ]+) - (?P<event_message>.+) [scheduler] EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*) \s+(?P<component>[^ ]+) - (?P<event_message>.+) [splunk_web_service] EXTRACT-useragent = userAgent=(?P<browser>[^ (]+) [vip_api] DATETIME_CONFIG = KV_MODE = json MAX_TIMESTAMP_LOOKAHEAD = 200 NO_BINARY_CHECK = true TIME_FORMAT = %Y-%m-%d %H:%M:%S TIME_PREFIX = *ts;\s TZ = UTC category = Custom pulldown_type = true SHOULD_LINEMERGE = true disabled = false BREAK_ONLY_BEFORE = ([r\n])
    This file includes a custom source type that allows the VIP Report Streaming Service to import data and displays the correct timestamp to match the Symantec timestamp (the default is UTC – 0).
  3. Copy the
    props.conf
    file to the
    C:\Program Files\Splunk\etc\apps\search\local
    directory.
  4. Using a standard text editor, modify the
    C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
    . Add the following lines:
    Monitor://<path_to_event_log_dir>\event.log disabled = 0 host = <host_name> index = <index_name> sourcetype = <source_type>
    Where:
    • <path_to_event_log_dir>
      is the path to the event logs directory (
      event_log_dir
      ) you set when you configured theVIP Report Streaming Service reference client.
    • <host_name>
      is the host name of the computer that is running the VIP Report Streaming Service reference client.
    • <index_name>
      is the name of your Splunk Cloud index.
    • <source_type>
      is the custom source type you created in the
      props.conf
      . Enter
      vip_api
      for this value.
    For example:
    [monitor://C:\StreamingReferenceClient\logs\event.log] disabled = 0 host = myhostname index = vip_api sourcetype = vip_api
  5. As an administrator, run the following command at a command line:
    splunk.exe install app <path to\splunkclouduf.spl>
    Where
    <path to\splunkclouduf.spl>
    is the location where you downloaded the Splunk Universal Forwarder.
  6. When prompted, enter the administrator name and credentials that you used when you installed the Splunk Universal Forwarder. A message states that the app was installed.
  7. As an administrator, enter
    Services.msc
    in a command line.
  8. Navigate to
    splunk
    service and restart it.
    The VIP Report Streaming Service reference client should begin populating logs in the Splunk Cloud index .
    Logs in Splunk Cloud index (vip_api)