Enable forwarding and receiving
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Enable forwarding and receiving
Version 3.4 of Splunk includes the Splunk forwarder and light forwarder configurations, packaged as Splunk applications. You can enable and disable these configurations as desired, in conjunction with the information and procedures described in this topic.
For a general overview of how forwarding and receiving work, please read the introduction to forwarding and receiving.
Important: If you are configuring forwarding and receiving, your receiving Splunk instance must run the same version or a later version of Splunk as your forwarders.
Important: Beginning with 3.4.2, users running Splunk with the Free license can set their instance to receive data from a fowarder. In earlier versions of Splunk, users needed an Enterprise license to change this distributed setting.
Read this before you enable Splunk forwarder or light forwarder
Splunk Web is turned off in the forwarder and light forwarder to reduce the footprint of Splunk on the forwarding host. Therefore, if you want to use Splunk Web to configure your forwarding Splunk instance, do this before you enable forwarding. After you enable forwarding, you can only configure your forwarder via the Splunk CLI.
You must configure a receiver before setting up forwarding. This way, the Splunk receiving host is prepared for the forwarded data. Then, configure your forwarder(s). Follow these general steps to deploy Splunk forwarders and light forwarders effectively.
First, enable a Splunk server to receive data:
1. Decide which machine to use as a receiver.
2. Configure it to receive data using these instructions.
Note: Your receiving Splunk instance must be running the same version of Splunk as your forwarders, or a later version.
Then, on the forwarding Splunk instance:
1. Install Splunk on the machine that will be forwarding data.
2. Point your forwarder at the receiver using these instructions. You have the option of enabling local indexing at this time, which means that any data that is forwarded is also indexed locally. This applies to any pre-existing data on the forwarder as well.
3. Use Splunk Web or the CLI to add inputs as described here. Data from these inputs will be sent via the forwarder to the receiver. Data from these inputs will be sent via the forwarder to the receiver as soon as you do this (and indexed locally if you've configured this)
4. Then, use Splunk Web or the CLI to enable Splunk forwarder or light forwarder.
5. Install applications on your light forwarder. Specifically, install any applications that you're running on your receiver that also contain inputs.conf.
After you configure a Splunk instance to forward data, add any additional settings, such as routing, cloning, filtering or data balancing. Configuration changes are done on the forwarder side, on the host that is reading the data input.
Note: If you are running a version of Splunk that is older than 3.4.2, you must have an Enterprise license on the receiver. Splunk instances before 3.4.2 running with the default license can forward but cannot receive data. Customers who require Enterprise features (such as authentication) on forwarding instances of Splunk can enable the $SPLUNK_HOME/etc/splunk-forwarder.license file. Alternately, you can upgrade to 3.4.2 or later and enable receiving without an Enterprise license.
Receiving
Follow these instructions to configure a Splunk instance as a receiver.
Note: Your receiving Splunk instance must be running the same (or later) version of Splunk as your forwarders. For example, a 3.3 receiver can accept traffic from forwarders running earlier versions. A 3.2 receiver cannot accept connections from a 3.3 forwarder.
via Splunk Web
Enable receiving via Splunk Web.
- Navigate to Splunk Web on the server that will receive data for indexing.
- Click the Admin link in the upper right hand corner of Splunk Web.
- Select the Distributed tab.
- Click Receive Data.
- To begin receiving data:
- Set the radio button to Yes.
- Specify the port that you want Splunk to listen on. This is also the port that Splunk instances use to forward data to this server.
- Click the Save button to commit the configuration. Restart Splunk for your changes to take effect.
via Splunk CLI
Enable receiving from Splunk's CLI. To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. Also, add Splunk to your path and use the splunk command.
To log in:
./splunk login Splunk username: admin Password:
To enable receiving:
# ./splunk enable listen 42099 -auth admin:changeme Listening for Splunk data on TCP port 42099.
To disable receiving:
# ./splunk disable listen -auth admin:changeme No longer listening for Splunk TCP data. You need to restart the Splunk Server for your changes to take effect.
Forwarding
You must first configure your receiving Splunk host using the instructions above before configuring forwarders.
via Splunk Web
Enable forwarding via Splunk Web.
- Navigate to Splunk Web on the server that will be forwarding data for indexing.
- Click the Admin link in the upper right-hand corner of Splunk Web.
- Select the Distributed tab.
- Click Forward Data.
To begin forwarding data:
- Set the Forward data to other Splunk Servers? radio button to Yes.
- Specify whether you want to keep a copy of the data local in addition to forwarding or just forward. Keeping a local copy allows you to search from the local server, but requires more space and memory.
- Specify the Splunk server(s) and port number to forward data to. The port number should be the same one that you specified when you configured receiving.
- Click the Save button to commit the configuration. Restart Splunk for your changes to take effect.
via Splunk CLI
Enable forwarding from the Splunk CLI. Navigate to your $SPLUNK_HOME/bin directory on the forwarding server and log in to the CLI. Also add Splunk to your path and use the splunk command.
./splunk login Splunk username: admin Password:
To enable forwarding:
# ./splunk add forward-server <host:port> -auth admin:changeme
where <host:port> are the hostname and port of the Splunk server to which this forwarder or light forwarder should send data.
To disable forwarding:
# ./splunk remove forward-server <host:port> -auth admin:changeme
where <host:port> are the hostname and port of the Splunk server to which this forwarder or light forwarder is currently sending data.
Note: Although this command disables the forwarding activity, this machine will still be configured as a Splunk forwarder or light forwarder.
This documentation applies to the following versions of Splunk: 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.