Splunk® Universal Forwarder

Forwarder Manual

Download manual as PDF

Download topic as PDF

Upgrade a universal forwarder to a heavy forwarder

The universal forwarder is the recommended method to gather data from hosts and send it to your Splunk deployment. However, there might be times where you need the routing and filtering capabilities that a heavy forwarder can provide. In such a case, you can upgrade a universal forwarder to a heavy forwarder.

Because the universal forwarder and the heavy forwarder install in separate directories by default, you can install the heavy forwarder on the same host as the universal forwarder and move the universal forwarder data to the heavy forwarder.

A heavy forwarder requires a larger amount of disk space than a universal forwarder does. It also uses more network and memory resources than a universal forwarder does (though you can configure the instance to use less.)

Splunk Enterprise also requires a separate license after the 60-day trial license expires.

Upgrade a universal forwarder to a heavy forwarder

  1. Stop the universal forwarder on the host that you want to upgrade to a heavy forwarder.
  2. Download Splunk Enterprise onto the host.
  3. Install Splunk Enterprise on the host.
  4. Copy the fishbucket and persistent databases from the universal forwarder to the same directory on the heavy forwarder.
  5. Copy inputs.conf and outputs.conf from the universal forwarder to the heavy forwarder.
  6. (Optional) Copy any add-ons you have installed from the universal forwarder to the heavy forwarder.
  7. Edit props.conf and transforms.conf on the heavy forwarder, or use a deployment server to send configurations to the forwarder.
  8. Restart the heavy forwarder.
  9. Confirm that the heavy forwarder sends data to the indexer.
  10. Uninstall the universal forwarder.
PREVIOUS
Upgrade the *nix universal forwarder
  NEXT
Uninstall the universal forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters