Enable the Splunk forwarder or light forwarder
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Enable the Splunk forwarder or light forwarder
As of version 3.4, the Splunk forwarder and light forwarder (formerly referred to as the lightweight forwarder) are now packaged as applications that you can enable via Splunk Web or the CLI.
Important: If you are configuring forwarding and receiving, your receiving Splunk instance must be running the same (or later) version of Splunk as your forwarders. Also, you cannot use data balancing in conjunction with the light forwarder because the data is not parsed before being sent--events may be split into parts before reaching the receiver, resulting in partial events.
What's different about the Splunk light forwarder?
The Splunk light forwarder can monitor local log files and directories, collect Windows event logs and use scripted inputs (including local WMI and registry data sources on Windows). To cut down on overhead, however, many other features are disabled.
Specifically, the Splunk light forwarder:
- Disables event signing and checking if the disk is full (
/$SPLUNK_HOMEetc/apps/SplunkLightForwarder/default/default-mode.conf) - Limits internal data inputs to
splunkdand metrics logs only, and makes sure these are forwarded ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/inputs.conf) - Disables most local indexing (
$SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/indexes.conf) - Does not parse data. Therefore, install applications that include
inputs.confon both the light forwarder and the receiving instance. - Disables the Splunk Web interface (
$SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/web.conf) - Limits throughput to 256KBps on monitor, exec, and Windows event log inputs (
/etc/apps/SplunkLightForwarder/default/limits.confand the configurations under/etc/apps/SplunkLightForwarder/config/input/*) - Disables the following modules in (
$SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/setup.conf):
[modules] distributedDeployment = disabled distributedSearch = disabled input/FIFO = disabled input/UDP = disabled input/tcp = disabled input/syslogFIFO = disabled input/syslogUDP = disabled
These modules are the deployment server (not the deployment client), distributed search, and from named pipes / FIFOs, and direct input from network ports.
For a detailed view of the exact configuration, look at the setup.conf file for the SplunkLightForwarder application in $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default, where $SPLUNK_HOME is the directory into which you installed Splunk.
Change the configuration
To alter the configuration of Splunk light forwarder (to add back in a specific input type, for example), edit the setup.conf for the SplunkLightForwarder application. To change the bandwidth limit, create a new limits.conf in a local directory (do not change the one in default) with a new [thruput] stanza for your desired limit.
What's different about the Splunk forwarder?
The Splunk forwarder disables the following modules in ($SPLUNK_HOME/etc/apps/SplunkForwarder/default/setup.conf):
[modules] distributedDeployment = disabled distributedSearch = disabled input/FIFO = disabled
These modules are the deployment server (not the deployment client), distributed search, and input from named pipes / FIFOs.
All other functions and modules remain enabled.
For a detailed view of the exact configuration, you can look at the setup.conf file for the SplunkForwarder application in $SPLUNK_HOME/etc/apps/SplunkForwarder/default, where SPLUNK_HOME is the directory into which you installed Splunk.
Read this before you enable Splunk forwarder or light forwarder
Splunk Web is turned off in the light forwarder to reduce the footprint of Splunk on the forwarding host. Therefore, if you want to use Splunk Web to configure your forwarding Splunk instance, do this before you enable the forwarder application. After you enable the forwarder application, you can only configure your forwarder via the Splunk CLI.
You must configure a receiver before setting up forwarding. This way, the Splunk receiving host is prepared for the forwarded data. Then, configure your forwarder(s). Follow these general steps to deploy Splunk forwarders and light forwarders effectively.
First, enable a Splunk server to receive data:
1. Decide which machine to use as a receiver.
2. Configure it to receive data using these instructions.
Note: Your receiving Splunk instance must be running the same version of Splunk as your forwarders, or a later version.
Then, on the forwarding Splunk instance:
1. Install Splunk on the machine that will be forwarding data.
2. Enable data forwarding by pointing your forwarder at the receiver using these instructions. You have the option of enabling local indexing at this time, which means that any data that is forwarded is also indexed locally. This applies to any pre-existing data on the forwarder as well.
3. Use Splunk Web or the CLI to add inputs as described here. Data from these inputs will be sent via the forwarder to the receiver as soon as you do this (and indexed locally if you've configured this).
4. Then, use Splunk Web or the CLI to enable Splunk forwarder or light forwarder.
After you configure a Splunk instance to forward data, add any additional settings, such as routing, cloning, filtering or data balancing. Configuration changes are done on the forwarder side, on the host that is reading the data input.
If, once you've enabled the Splunk forwarder or light forwarder, you want to disable it, you must do it via the CLI as described below.
Important: You MUST provide this forwarder/light forwarder with the hostname and port of the Splunk server to which it will send data, using the information in this topic. You must also use the same information to set the Splunk server that will be receiving the data as a receiver.
Licensing for Splunk forwarder and light forwarder
When you enable either the Splunk forwarder or light forwarder, you must manually switch licenses as appropriate.
Enable via Splunk Web
To enable Splunk forwarder or light forwarder via Splunk Web:
1. Log into Splunk Web.
2. Navigate to the Admin section, and click Applications.
The Applications:View/Manage Applications page is displayed.
3. Find the Splunk application you want to enable for this system and click Enable.
The application is enabled.
Note: Remember, if you enable Splunk forwarder or light forwarder, Splunk Web will subsequently be unreachable.
Enable via CLI
To enable Splunk forwarder or light forwarder via the CLI:
./splunk enable app [SplunkForwarder|SplunkLightForwarder] -auth <username>:<password>
Note: If you are running Splunk with a free license, you do not have to provide a username and password.
Disable via CLI
To disable Splunk forwarder or light forwarder via the CLI:
./splunk disable app [SplunkForwarder|SplunkLightForwarder] -auth <username>:<password>
Note: If you are running Splunk with a free license, you do not have to provide a username and password.
This documentation applies to the following versions of Splunk: 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.