# Splunk forwarder (Windows and Linux)

This section explains how you can configure 'Splunk' like a log shipper.

In order for the Splunk component to send the log details to the event gateway,  users have to configure two elements.

1. Event Gateway Endpoint
2. Splunk configuration on Linux/Windows configuration

**Step 1:**&#x20;

An example Event Gateway Endpoint configuration is captured in the below configuration snippet.

```
Gateway Endpoint:
endpoints:
- name: winodows_events
  enabled: true
  type: tcp_json
  port: 9997
  attrs:
    site_code: dc1
    archive_name: splunk_events
  stream: windows-splunk-stream 
```

**Step 2:**&#x20;

Update the input and output.conf file from the below path:

**Input conf file:**

```
cd /opt/splunkforwarder/etc/system/local/

##Example adding messages##
[monitor:///var/log/messages*]
_TCP_ROUTING = *
disabled = false
```

**outputs.conf file:**

```
[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://<event-gateway>:9997]

[tcpout:default-autolb-group]
disabled = false
sendCookedData = false
server = <event-gateway>:9997

#Example 
[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://10.95.131.101:9997]

[tcpout:default-autolb-group]
disabled = false
sendCookedData = false
server = 10.95.131.101:9997

```

**Step 3:**

Restart splunk service&#x20;

```
cd opt/splunkforwarder/bin
./splunk stop 
./splunk start
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudfabrix.io/rda/installation/log-shippers/splunk-forwarder-windows-and-linux.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.