Documentation > Splunk > Admin Manual > More about forwarders

Admin Manual

 


Welcome to Splunk administration
What to do first
Use Splunk Web
Meet Splunk apps
Configure Splunk
Indexing with Splunk
Add data and configure inputs
Set up forwarding and receiving
Configure event processing
Configure event timestamping
Configure indexed field extraction
Manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

More about forwarders

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

More about forwarders

Certain capabilities are disabled in forwarders and light forwarders. This section describes forwarder capabilities in detail.

Splunk forwarder details

All functions and modules of the Splunk regular forwarder are enabled by default, with the exception of the distributed search module. The file $SPLUNK_HOME/etc/apps/SplunkForwarder/default/default-mode.conf includes this stanza: 

[pipeline:distributedSearch]
disabled = true

For a detailed view of the exact configuration, see the configuration files for the SplunkForwarder application in $SPLUNK_HOME/etc/apps/SplunkForwarder/default.

Splunk light forwarder details

Most features of Splunk are disabled in the Splunk light forwarder. Specifically, the Splunk light forwarder: 

      [pipeline:indexerPipe]
      disabled_processors= indexandforward, diskusage, signing,tcp-output generic-processor, syslog-output-generic-processor, http-output-generic-processor, stream-output-processor

      [pipeline:distributedDeployment]
      disabled = true

      [pipeline:distributedSearch]
      disabled = true

      [pipeline:fifo]
      disabled = true

      [pipeline:merging]
      disabled = true

      [pipeline:typing]
      disabled = true

      [pipeline:udp]
      disabled = true

      [pipeline:tcp]
      disabled = true

      [pipeline:syslogfifo]
      disabled = true

      [pipeline:syslogudp]
      disabled = true

      [pipeline:parsing]
      disabled_processors=utf8, linebreaker, header, sendOut

      [pipeline:scheduler]
      disabled_processors = LiveSplunks

These modules include the deployment server (not the deployment client), distributed search, named pipes/FIFOs, direct input from network ports, and the scheduler.

The defaults for the light forwarder can be tuned to meet your needs by overriding the settings in $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf on a case-by-case basis.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1/Admin/Moreaboutforwarders"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!