Splunk® Enterprise

Getting Data In

Use forwarders to get data into Splunk Enterprise

Splunk forwarders consume data and send it to an indexer. Forwarders require minimal resources and have little impact on performance, so they can usually reside on the machines where the data originates.

For example, if you have a number of Apache Web servers that generate data that you want to search centrally, you can set up forwarders on the Apache hosts. The forwarders take the Apache data and send it to your Splunk Enterprise deployment for indexing, which consolidates, stores, and makes the data available for searching. Because of their reduced resource footprint, forwarders have a minimal performance impact on the Apache servers.

Similarly, you can install forwarders on your employees' Windows desktops. These forwarders can send logs and other data to your Splunk Enterprise deployment, where you can view the data as a whole to track malware or other issues.

What forwarders do

Forwarders get data from remote machines. Unlike raw network feeds, forwarders have the following capabilities:

  • Tag metadata (source, sourcetype, and host)
  • Buffer data
  • Compress data
  • Use SSL security
  • Use any available network ports
  • Run scripted inputs locally

Forwarders usually do not index the data, but instead, forward the data to a Splunk Enterprise deployment that does the indexing and searching. A Splunk Enterprise deployment can process data that comes from many forwarders. For detailed information on forwarders, see the Forwarding Data or Universal Forwarder manuals.

In most Splunk Enterprise deployments, forwarders serve as the primary consumers of data. In a large Splunk Enterprise deployment, you might have hundreds or even thousands of forwarders that consume data and forward for consolidation.

How to configure forwarder inputs

The following is a high-level overview of the steps to configure forwarder inputs for Splunk Enterprise.

  1. Configure a Splunk Enterprise host to receive the data.
  2. Determine the kind of forwarder you want to put on the host with the data.
    • You can use a heavy forwarder, which is a full Splunk Enterprise instance with forwarding turned on, or a universal forwarder, which is its own installation package.
    • The type of forwarder you use depends on the performance requirements for the host and whether you need to transform the data in any way as it comes into Splunk Enterprise.
  3. Download Splunk Enterprise or the universal forwarder for the platform and architecture of the host with the data.
  4. Install the forwarder onto the host.
  5. Enable forwarding on the host and specify a destination
  6. Configure inputs for the data that you want to collect from the host. You can use Splunk Web if the forwarder is a full Splunk Enterprise instance.
  7. Confirm that data from the forwarder arrives at the receiving indexer.

See the Forwarding Data Manual or the Universal Forwarder Manual for details on how to configure forwarding and receiving

Here are the main ways that you can configure data inputs on a forwarder:

  • Specify inputs during the initial deployment of the forwarder.
  • For Windows forwarders, specify common inputs during the forwarder installation process.
  • For *nix forwarders, specify inputs directly after installation.
  • Use the CLI.
  • Edit the inputs.conf file.
  • Install the app or add-on that contains the inputs you want.
  • Use Splunk Web to configure the inputs and a deployment server to copy the resulting inputs.conf file to forwarders.

Forwarder topologies and deployments

Last modified on 21 September, 2022
Use forwarders to get data into Splunk Cloud Platform   Use apps and add-ons to get data in

This documentation applies to the following versions of Splunk® Enterprise: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters