Configure the receiving servers
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Configure the receiving servers
If you're using distributed input you will need to configure your receiving server (or servers) first. These are the Splunk instances that will be receiving and indexing data from other Splunk hosts. You need these servers to be in place before you configure the forwarding servers.
If you're using a single server deployment, follow these steps first to set up your index to handle data properly then proceed to the next step on the same server to get your inputs and data processing working.
Data policy
Splunk has a default data retention policy. You may want to keep your data around longer, age it out sooner, or set up a script to back it up. You can set the data retention policy on each of the receiving servers to reflect your data retention needs.
Authentication
Decide who gets access to the server. Then, set up user accounts for them. You can use either Splunk's built-in user authentication method, or you can set up LDAP.
Receiving
You will need to set up your receiving servers to accept incoming connections from the forwarding servers. You can set up receiving via SplunkWeb or the CLI.
Segmentation
If you have decided to change Splunk's data segmentation policy, you will need to make changes to segmenters.conf. You can set Splunk to break only on specific characters. Changing segmentation affects index size and, consequently, storage space.
This documentation applies to the following versions of Splunk: 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.