Final answer:
The CLI command splunk add forward-server indexer: modifies the outputs.conf file on a Splunk Universal Forwarder, setting the address of the indexer to which it should forward data.
Step-by-step explanation:
When you use the command splunk add forward-server indexer:, it modifies the configuration of a Splunk Universal Forwarder to send data to an indexing server (often referred to as an indexer). The configuration settings changed by this command are stored in the outputs.conf file, which is located in the $SPLUNK_HOME/etc/system/local/ directory on the Universal Forwarder. It's essential to explain that the indexer's address should replace the placeholder indexer: in the command with an actual host name or IP address along with a port number (for example, splunk add forward-server 192.168.1.100:9997).
The outputs.conf file contains the networking configuration for data forwarding. When the Splunk Universal Forwarder is instructed to send data to a new indexer, this command adds a new stanza or updates an existing stanza in the outputs.conf file to reflect the change. Following the execution of the command, the Universal Forwarder will start forwarding data to the specified indexer.