Splunk® Universal Forwarder

Forwarder Manual

This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.

Upgrade a universal forwarder to a heavy forwarder

The universal forwarder is the recommended method to gather data from hosts and send it to your Splunk deployment. However, there might be times where you need the routing and filtering capabilities that a heavy forwarder can provide. In such a case, you can upgrade a universal forwarder to a heavy forwarder.

Because the universal forwarder and the heavy forwarder install in separate directories by default, you can install the heavy forwarder on the same host as the universal forwarder and move the universal forwarder data to the heavy forwarder.

A heavy forwarder requires a larger amount of disk space than a universal forwarder does. It also uses more network and memory resources than a universal forwarder does (though you can configure the instance to use less.)

Splunk Enterprise also requires a separate license after the 60-day trial license expires.

Upgrade a universal forwarder to a heavy forwarder

  1. Stop the universal forwarder on the host that you want to upgrade to a heavy forwarder.
  2. Download Splunk Enterprise onto the host.
  3. Install Splunk Enterprise on the host.
  4. Copy the fishbucket and persistent databases from the universal forwarder to the same directory on the heavy forwarder.
  5. Copy inputs.conf and outputs.conf from the universal forwarder to the heavy forwarder.
  6. (Optional) Copy any add-ons you have installed from the universal forwarder to the heavy forwarder.
  7. Edit props.conf and transforms.conf on the heavy forwarder, or use a deployment server to send configurations to the forwarder.
  8. Restart the heavy forwarder.
  9. Confirm that the heavy forwarder sends data to the indexer.
  10. Uninstall the universal forwarder.

See also

The table provides links to instructions on upgrading a heavy forwarder on a *nix or Windows machine for a Splunk Cloud Platform deployment.

For more information about See
Upgrade a heavy forwarder on a *nix machine Upgrade a heavy forwarder on *nix in the Splunk Cloud Platform Admin Manual
Upgrade a heavy forwarder on a Windows machine Upgrade a heavy forwarder on Windows in the Splunk Cloud Platform Admin Manual
Last modified on 01 December, 2021
Upgrade the *nix universal forwarder   Uninstall the universal forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters