Get data from Forwarders service
Use the Forwarders Service source function to get data from a Splunk universal or heavy forwarder. This is a source function that filters your data to only ingest data from the Splunk Forwarders Service. See also Process data from a universal forwarder.
Function output schema
This function outputs data pipeline events using the event schema for events or metrics schema for metrics.
Required arguments
- connection_id
- Syntax: string
- Description: The ID of your Splunk Forwarders connection. Must be set to
"forwarders:all". - Example: "forwarders:all"
SPL2 example
When working in the SPL View, you can write the function using the following syntax.
| from forwarders("forwarders:all") |....;
Alternatively, you can use the named argument syntax to write this function.
| from forwarders(connection_id: "forwarders:all") |....;
Limitations of the Forwarders Service
The maximum supported size for a record is 5MB. If any records exceed that size, the Forwarders service returns an error.
| Get data from Splunk DSP Firehose | Get data from Ingest service |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6
Download manual
Feedback submitted, thanks!