Heavy and light forwarder capabilities
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Heavy and light forwarder capabilities
Certain capabilities are disabled in heavy and light forwarders. This section describes forwarder capabilities in detail.
Splunk heavy forwarder details
The heavy forwarder has all Splunk functions and modules enabled by default, with the exception of the distributed search module. The file $SPLUNK_HOME/etc/apps/SplunkForwarder/default/default-mode.conf includes this stanza:
[pipeline:distributedSearch] disabled = true
For a detailed view of the exact configuration, see the configuration files for the SplunkForwarder application in $SPLUNK_HOME/etc/apps/SplunkForwarder/default.
Splunk light forwarder details
Most features of Splunk are disabled in the Splunk light forwarder. Specifically, the Splunk light forwarder:
- Disables event signing and checking whether the disk is full (
$SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf). - Limits internal data inputs to
splunkdand metrics logs only, and makes sure these are forwarded ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/inputs.conf). - Disables all indexing (
$SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/indexes.conf). - Does not use
transforms.confand does not fully parse incoming data, but theCHARSET, CHECK_FOR_HEADER, NO_BINARY_CHECK, PREFIX_SOURCETYPE,andsourcetypeproperties fromprops.confare used. - Disables the Splunk Web interface (
$SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/web.conf). - Limits throughput to 256KBps (
$SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/limits.conf). - Disables the following modules in
$SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf:
[pipeline:indexerPipe]
disabled_processors= indexandforward, diskusage, signing,tcp-output-generic-processor, syslog-output-generic-processor, http-output-generic-processor, stream-output-processor
[pipeline:distributedDeployment]
disabled = true
[pipeline:distributedSearch]
disabled = true
[pipeline:fifo]
disabled = true
[pipeline:merging]
disabled = true
[pipeline:typing]
disabled = true
[pipeline:udp]
disabled = true
[pipeline:tcp]
disabled = true
[pipeline:syslogfifo]
disabled = true
[pipeline:syslogudp]
disabled = true
[pipeline:parsing]
disabled_processors=utf8, linebreaker, header, sendOut
[pipeline:scheduler]
disabled_processors = LiveSplunks
These modules include the deployment server (not the deployment client), distributed search, named pipes/FIFOs, direct input from network ports, and the scheduler.
The defaults for the light forwarder can be tuned to meet your needs by overriding the settings in $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf on a case-by-case basis.
Purge old indexes
When you convert a Splunk indexer instance to a lightweight forwarder, among other things, you disable indexing. In addition, you no longer have access to any data previously indexed on that instance. However, the data still exists.
If you want to purge that data from your system, you must first disable the SplunkLightForwarder app, then run the CLI clean command, and then renable the app. For information on the clean command, see "Remove indexed data from Splunk" in the Admin manual.
This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.
Comments
Hi Doc-team
there is a typo in the stanza [pipeline:indexerPipe]:
tcp-output generic-processor
should be
tcp-output-generic-processor
cheers,
MuS
Thanks, MuS, for catching that. Fixed now.