Distributed Deployment Manual

 


Deploy heavy and light forwarders

Deploy a heavy or light forwarder

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Deploy a heavy or light forwarder

To enable forwarding and receiving, you configure both a receiver and a forwarder. The receiver is the Splunk instance receiving the data; the forwarder sends data to the receiver.

You must first set up the receiver. You can then set up forwarders to send data to that receiver.

Note: The receiver must be running the same (or later) version of Splunk as its forwarder. A 4.0 receiver can receive data from a 3.4 forwarder, but a 3.4 receiver cannot receive from a 4.0 forwarder.

Setting up a heavy or light forwarder is a two step process:

1. Install a full Splunk instance.

2. Enable forwarding on the Splunk instance.

The sections that follow describe these steps in detail.

Important: This topic describes deployment and configuration issues specific to light and heavy forwarders. For information on how to deploy a universal forwarder, see "Universal forwarder deployment overview". For information on how to enable receiver functionality on a Splunk instance, see "Enable a receiver".

Install a full Splunk instance

To deploy a light or heavy forwarder, you must first install a full Splunk instance. For detailed information about installing Splunk, including system requirements and licensing issues, see the Installation manual.

Once the Splunk instance has been installed, you can enable forwarder functionality on it. You can also determine whether the forwarder should be a light forwarder or a heavy forwarder. For information on the differences between these types of forwarders, look here.

Set up forwarding

You can use Splunk Web or the Splunk CLI as a quick way to enable forwarding in a Splunk instance.

You can also enable, as well as configure, forwarding by creating an outputs.conf file for the Splunk instance. Although setting up forwarders with outputs.conf requires a bit more initial knowledge, there are obvious advantages to performing all forwarder configurations in a single location. Most advanced configuration options are available only through outputs.conf. In addition, if you will be enabling and configuring a number of forwarders, you can easily accomplish this by editing a single outputs.conf file and making a copy for each forwarder. See the topic "Configure forwarders with outputs.conf" for more information.

Note: When you install a Splunk instance to be used as a light forwarder, select the forwarder license. You can then enable the light forwarder, as described below. For a heavy forwarder that performs indexing, you need an Enterprise license. For more information, see "Types of Splunk licenses".

Set up heavy forwarding with Splunk Web

Use Splunk Manager to set up a forwarder.

To set up a heavy forwarder:

1. Log into Splunk Web as admin on the server that will be forwarding data.

2. Click the Manager link in the upper right corner.

3. Select Forwarding and receiving in the Data area.

4. Click Add new in the Forward data section.

5. Enter the hostname or IP address for the receiving Splunk instance(s), along with the listening port specified when the receiver was configured. For example, you might enter: receivingserver.com:9997. You can enter multiple hosts as a comma-separated list.

6. Click Save. You must restart Splunk to complete the process.

You can use Splunk Web to perform one other configuration (for heavy forwarders only). To store a copy of indexed data local to the forwarder:

1. From Forwarding and receiving, select Forwarding defaults.

2. Select Yes to store and maintain a local copy of the indexed data on the forwarder.

Important: A heavy forwarder has a key advantage over light and universal forwarders in that it can index your data locally, as well as forward the data to another Splunk index. However, local indexing is turned off by default. If you want to store data on the forwarder, you must enable that capability - either in the manner described above or by editing outputs.conf.

All other configuration must be done in outputs.conf.

Set up light forwarding with Splunk Web

Use Splunk Manager to set up a forwarder.

To enable light forwarding, you must first enable heavy forwarding on the Splunk instance. Then you separately enable light forwarding. This procedure combines the two processes:

1. Log into Splunk Web as admin on the server that will be forwarding data.

2. Click the Manager link in the upper right corner.

3. Select Forwarding and receiving in the Data area.

4. Click Add new in the Forward data section.

5. Enter the hostname or IP address for the receiving Splunk instance, along with the listening port specified when the receiver was configured. For example, you might enter: receivingserver.com:9997.

6. Click Save.

7. Return to Manager>Forwarding and receiving.

8. Click Enable lightweight forwarding in the Forward data section. You must restart Splunk to complete the process.

Important: When you enable a light forwarder, Splunk Web is immediately disabled. You will then need to use the Splunk CLI or outputs.conf to perform any further configuration on the forwarder. Therefore, if you want to use Splunk Web to configure your forwarder, do so before you enable light forwarding.

Set up forwarding with the Splunk CLI

With the CLI, setting up forwarding is a two step process. First you enable forwarding on the Splunk instance. Then you start forwarding to a specified receiver.

To access the CLI, first navigate to $SPLUNK_HOME/bin/. This is unnecessary if you have added Splunk to your path.

To enable the forwarder mode, enter:

./splunk enable app [SplunkForwarder|SplunkLightForwarder] -auth <username>:<password>

Note: In the CLI enable command, SplunkForwarder represents the heavy forwarder.

Important: After this step, make sure you restart your Splunk instance as indicated! Attempting to start forwarding activity using the CLI before restarting splunkd will not work!

To disable the forwarder mode, enter:

./splunk disable app [SplunkForwarder|SplunkLightForwarder] -auth <username>:<password>

By disabling forwarding, this command reverts the Splunk instance to a full server.

Start forwarding activity from the Splunk CLI

To access the CLI, first navigate to $SPLUNK_HOME/bin/. This is unnecessary if you have added Splunk to your path.

To start forwarding activity, enter:

./splunk add forward-server <host>:<port> -auth <username>:<password>

To end forwarding activity, enter:

./splunk remove forward-server <host>:<port> -auth <username>:<password>

Note: Although this command ends forwarding activity, the Splunk instance remains configured as a forwarder. To revert the instance to a full Splunk server, use the disable command:

./splunk disable app [SplunkForwarder|SplunkLightForwarder] -auth <username>:<password>

Important: Make sure you restart your Splunk instance as indicated by the CLI to take these changes into account.

Upgrade a forwarder

To upgrade a forwarder to a new version, just upgrade the Splunk instance in the usual fashion. For details, read the upgrade section of the Installation manual.

Important: Before doing an upgrade, consider whether you really need to. In many cases, there's no compelling reason to upgrade a forwarder. Forwarders are always compatible with later version indexers, so you do not need to upgrade them just because you've upgraded the indexers they're sending data to.

Back up your files first

Before you perform the upgrade, we strongly recommend that you back up all of your files. Most importantly, back up your Splunk configuration files. For information on backing up configurations, read "Back up configuration information" in the Admin manual.

If you're upgrading a heavy forwarder that's indexing data locally, you also need to back up the indexed data. For information on backing up data, read "Back up indexed data" in the Admin manual.

Splunk does not provide a means of downgrading to previous versions; if you need to revert to an older forwarder release, just reinstall it.

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 View the Article History for its revisions.


Comments

Nhamel - Thanks for catching that.

Sgoodman, Splunker
April 11, 2012

On my heavy forwarder I cannot see a checkbox to enable automatic load balancing.
Automatic load balancing is activated by default.

Nhamel
April 11, 2012

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!