Splunk® Enterprise

Getting Data In

Download manual as PDF

Download topic as PDF

Use forwarders to get data in

Splunk forwarders consume data and send it to your Splunk deployment for indexing. Forwarders require minimal resources and have little impact on performance, so they can usually reside on the machines where the data originates.

For example, if you have a number of Apache Web servers that generate data that you want to search centrally, you can set up forwarders on the Apache hosts. The forwarders take the Apache data and send it to your Splunk deployment for indexing, which consolidates, stores, and makes the data available for searching. Because of their reduced resource footprint, forwarders have minimal performance impact on the Apache servers.

Similarly, you can install forwarders on your employees' Windows desktops. These can send logs and other data to your Splunk deployment, where you can view the data as a whole to track malware or other issues. The Splunk App for Windows Infrastructure relies on this kind of deployment.

What forwarders do

Forwarders get data from remote machines. They represent a more robust solution than raw network feeds, with their capabilities for the following actions:

  • Tagging of metadata (source, sourcetype, and host)
  • Configurable buffering
  • Data compression
  • SSL security
  • Use of any available network ports
  • Running scripted inputs locally

Forwarders usually do not index the data, but rather forward the data to a Splunk deployment that does the indexing and searching. A Splunk deployment can process data that comes from many forwarders. For detailed information on forwarders, see the Forwarding Data or Universal Forwarder manuals.

In most Splunk deployments, forwarders serve as the primary consumers of data. In a large Splunk deployment, you might have hundreds or even thousands of forwarders that consume data and forward for consolidation.

How to configure forwarder inputs

Here are the main ways that you can configure data inputs on a forwarder:

  • Specify inputs during initial deployment.
  • For Windows forwarders, specify common inputs during the installation process.
  • For *nix forwarders, specify inputs directly after installation.
  • Use the CLI.
  • Edit inputs.conf.
  • Install an app that contains the inputs you want.
  • Use Splunk Web to configure the inputs and a deployment server to copy the resulting inputs.conf file to forwarders.

Forwarder Topologies and Deployments

PREVIOUS
Is my data local or remote?
  NEXT
Use apps to get data in

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2 View the Article History for its revisions.


Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters