Splunk® Universal Forwarder

Forwarder Manual

This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.

Enable a receiver

To enable forwarding and receiving, you must configure both a forwarder and a receiver. The receiver is the Splunk instance that receives the data. The forwarder sends data to the receiver.

The forwarder connects to the receiver on its receiving network port and sends data to the receiver for as long as it can see the receiver. If you configure the receiver to connect to more than one indexer, it performs load balancing between the available indexers.

The receiver is either a Splunk indexer or another forwarder (referred to as an "intermediate forwarder") that you configure to receive data from other forwarders. The receiver can also be multiple indexers at one time.

On the universal forwarder, you have two options to configure receiving:

  • Use the Splunk Command Line Interface (CLI).
  • Edit the inputs.conf configuration file.

A best practice for configuring forwarding is to set up receivers first. You can then set up forwarders to send data to that receiver.

Set up receiving with Splunk CLI

  1. To enable receiving, run the command line interface (CLI) command:
    splunk enable listen <port> -auth <username>:<password>
  • <port> is the port you want the receiver to listen on (the receiving port). For example, if you enter 9997, the receiver receives data on port 9997.
  • By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. When you choose a port, confirm that the port you select is not in use.

The splunk enable listen command creates a [splunktcp] stanza in inputs.conf. For example, if you set the port to 9997, it creates the stanza [splunktcp://9997].

Set up receiving with configuration files

You enable receiving on your Splunk instance by configuring inputs.conf in $SPLUNK_HOME/etc/system/local.

  1. To enable receiving, add a [splunktcp] stanza that specifies the receiving port. In this example, the receiving port is 9997:
    disabled = 0
  2. Restart Splunk software for the changes to take effect.

The forms [splunktcp://9997] and [splunktcp://:9997] (one colon or two) are semantically equivalent.

Last modified on 29 April, 2020
How to forward data to Splunk Enterprise   Install the universal forwarder software

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters