Set up receiving

Set up receiving

Before you set up forwarders, you must configure one or more receivers. Once you've set up your receiver(s) you can then configure your forwarder(s).

Important: Your receiver must be running the same or later) version of Splunk as your forwarders. For example, a 4.0 receiver can accept traffic from forwarders running earlier versions. A 3.4 receiver cannot accept connections from a 4.0 forwarder.

Here are some questions to answer before proceeding:

Where is your data coming from?

The options you choose in the steps below depend on a few things, one of which is: where is this data being forwarded from? In general, forwarded data comes from either another Splunk instance (a forwarder or light forwarder) or a non-Splunk source.

What format is your data arriving in?

• If your data is coming from a Splunk Forwarder, it will be TCP, and it will be parsed, which means it has been processed or split into labelled events by the forwarder.
• If your data is coming from a Splunk Light Forwarder, it will be TCP and it will be unparsed, although it is labelled with host, source, time, etc., which means the receiver will have to process it.
• If your data is coming from a non-Splunk source (such as log4j, or syslog), it can be TCP or UDP, and it will be uncooked, which means the receiver will have to process it entirely.

Configure a receiver in Splunk Web

Enable receiving via Splunk Web.

• Log in to Splunk Web on the server that will receive data for indexing. You must log in as a user with permissions to configure forwarding and receiving. Most likely this will be the Admin user.
• Click the Manager link in the upper right corner of Splunk Web.
• Select Forwarding and receiving > Receive data from forwarder.
• Click New and specify what port this receiver will listen on. For example, 9997 will receive data on TCP port 9997.
• Click Save. You must restart Splunk to complete the process.

Important: Your receiving Splunk instance must be running the same version of Splunk as your forwarders, or a later version. A 4.0 instance of Splunk can receive data from 3.x forwarders, but not vise-versa.

Configure a receiver using the Splunk CLI

Enable receiving from Splunk's CLI. To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command.

To log in:

./splunk login
Splunk username: admin
Password: 

To enable receiving:

# ./splunk enable listen 42099 -auth admin:changeme
Listening for Splunk data on TCP port 42099.

To disable receiving:

# ./splunk disable listen -auth admin:changeme
No longer listening for Splunk TCP data.
You must restart the Splunk Server for your changes to take effect.

Important: Your receiving Splunk instance must be running the same version of Splunk as your forwarders, or a later version.

Searching data received from a forwarder running on a different operating system

In most cases, a Splunk instance receiving data from a forwarder on a different OS will need to install the app for that OS. However, there are numerous subtleties that affect this; read on for the details.

Forwarding and indexing are OS-independent operations. Splunk supports any combination of forwarders and receivers, as long as each is running on a certified OS. For example, a Linux receiver can index data from a Windows forwarder.

Once data has been forwarded and indexed, the next step is to search or perform other knowledge-based activities on the data. At this point, the Splunk instance performing such activities might need information about the OS whose data it is examining. You typically handle this by installing the app specific to that OS. For example, if you want a Linux instance to search OS-specific data forwarded from Windows, you will ordinarily want to install the Windows app on the Linux instance.

If the data you're interested in is not OS-specific, such as web logs, then you do not need to install the Splunk OS app.

In addition, if the receiver is only indexing the data, and an external search head is performing the actual searches, you do not need to install the OS app on the receiver, but you might need to install it on the search head. As an alternative, you can use a search head running the OS. For example, to search data forwarded from Windows to a Linux receiver, you can use a Windows search head pointing to the Linux indexer as a remote search peer. For more information on search heads, see "Set up distributed search".

Important: After you have downloaded the relevant OS app, remove its inputs.conf file before enabling it, to ensure that its default inputs are not added to your indexer. For the Windows app, the location is: $SPLUNK_HOME/etc/apps/windows/default/inputs.conf.

In summary, you only need to install the app for the forwarder's OS on the receiver (or search head) if it will be performing searches on the forwarded OS data.

• Was this topic useful?
• Post a comment