Enable a receiver
To enable forwarding and receiving, you must configure both a forwarder and a receiver. The receiver is the Splunk instance that receives the data. The forwarder sends data to the receiver.
The forwarder connects to the receiver on its receiving network port and sends data to the receiver for as long as it can see the receiver. If you configure the receiver to connect to more than one indexer, it performs load balancing between the available indexers.
The receiver is either a Splunk indexer or another forwarder (referred to as an "intermediate forwarder") that you configure to receive data from other forwarders. The receiver can also be multiple indexers at one time.
On the universal forwarder, you have two options to configure receiving:
- Use the Splunk Command Line Interface (CLI).
- Edit the
A best practice for configuring forwarding is to set up receivers first. You can then set up forwarders to send data to that receiver.
Set up receiving with Splunk CLI
- To enable receiving, run the command line interface (CLI) command:
splunk enable listen <port> -auth <username>:<password>
<port>is the port you want the receiver to listen on (the receiving port). For example, if you enter 9997, the receiver receives data on port 9997.
- By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like
netstatto determine what ports are available on your system. When you choose a port, confirm that the port you select is not in use.
splunk enable listen command creates a
[splunktcp] stanza in
inputs.conf. For example, if you set the port to 9997, it creates the stanza
Set up receiving with configuration files
You enable receiving on your Splunk instance by configuring
- To enable receiving, add a
[splunktcp]stanza that specifies the receiving port. In this example, the receiving port is 9997:
[splunktcp://9997] disabled = 0
- Restart Splunk software for the changes to take effect.
[splunktcp://:9997] (one colon or two) are semantically equivalent.
How to forward data to Splunk Enterprise
Install the universal forwarder software
This documentation applies to the following versions of Splunk® Universal Forwarder: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0
Feedback submitted, thanks!