Splunk® Universal Forwarder

Forwarder Manual

Download manual as PDF

Download topic as PDF

Configure an intermediate forwarder

Intermediate forwarding is where a forwarder receives data from one or more forwarders and then sends that data on to another indexer. This kind of setup is useful when, for example, you have many hosts in different geographical regions and you want to send data from those forwarders to a central host in that region before forwarding the data to an indexer. All forwarder types can act as an immediate forwarder.

Configure intermediate forwarding

Set up the intermediate forwarding tier

1. Install the universal forwarder. If you install the universal forwarder on Windows, you can specify the receiving indexer that the forwarder should send data to during the installation process.

2. Configure the forwarder to send data to the receiving indexer.

3. Edit inputs.conf to configure the forwarder to receive data.

4. (Optional) Edit inputs.conf to configure any local data inputs on the forwarder.

5. Restart the forwarder.

You can repeat these steps to add more forwarders to the tier.

Configure forwarders to use the intermediate forwarding tier

1. Install the universal forwarder.

2. Configure the forwarder to send data to the intermediate forwarder. In this case, the intermediate forwarder is the receiver.

3. Configure local data inputs on the forwarder.

4. Restart the forwarder.

Test the configuration

1. In Splunk Web, log into your Splunk deployment.

2. Open the Search and Reporting app.

3. Run a search that contains a reference to one of the hosts that you configured to send data to the intermediate forwarder:

host=<name or ip address of forwarder> index=_internal

If you do not see events, then the host has not been configured properly. See Troubleshoot the universal forwarder for possible fixes.

Last modified on 06 August, 2019
Configure a forwarder to use a SOCKS proxy
Configure a forwarder to handle multiple pipeline sets

This documentation applies to the following versions of Splunk® Universal Forwarder: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters