Splunk® Universal Forwarder

Forwarder Manual

Download manual as PDF

Download topic as PDF

Enable a receiver

The receiver is a Splunk software instance that is configured to listen on a specific port for incoming communications from a forwarder. The receiver is typically an indexer, but can be another forwarder if you are using intermediate forwarding. An intermediate forwarder must be configured for both receiving and forwarding.

Updating configurations directly on Splunk software instances is only appropriate for single-instance deployments. To manage Splunk Enterprise configurations at scale, see About deployment server and forwarder management in the Updating Splunk Enterprise Instances manual.

Configure a receiver using Splunk Web

Use Splunk Web to configure a receiver for splunk-to-splunk (S2S) communication:

  1. Log into Splunk Web as a user with the admin role.
  2. In Splunk Web, go to Settings > Forwarding and receiving.
  3. Select "Configure receiving."
  4. Verify if there are existing receiver ports open. You cannot create a duplicate receiver port. The conventional receiver port on indexers is port 9997.
  5. Select "New Receiving Port."
  6. Add a port number and save.

Splunk Web is only available with Splunk Enterprise, not the universal forwarder.

Configure a receiver using the command line

Use the command line interface (CLI) to configure a receiver for S2S communication:

  1. Open a shell prompt
  2. Change the path to $SPLUNK_HOME/bin
  3. Type: splunk enable listen <port> -auth <username>:<password> .
  4. Restart Splunk software for the changes to take effect.
*nix example Windows example
./splunk enable listen 9997 -auth admin:password
splunk enable listen 9997 -auth admin:password

Configure a receiver using a configuration file

Configure an inputs.conf file for S2S communication:

  1. Open a shell prompt
  2. Change the path to $SPLUNK_HOME/etc/system/local.
  3. Edit the inputs.conf file.
  4. Create a [splunktcp] stanza and define the receiving port. Example:
    [splunktcp://9997]
    disabled = 0
    
  5. Save the file.
  6. Restart Splunk software for the changes to take effect.
Last modified on 29 April, 2020
PREVIOUS
How to forward data to Splunk Enterprise
  NEXT
Install the universal forwarder software

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters