Splunk® Universal Forwarder

Forwarder Manual

Enable a receiver for Splunk Enterprise

A receiver is a Splunk component that you configure to listen on a specific network port for incoming data from a forwarder. For Splunk Enterprise, the receiver is usually an indexer or a cluster of indexers.

For Splunk Enterprise forwarder and indexer compatibility see Compatibility between forwarders and Splunk Enterprise indexers in the Splunk Products Version Compatibility Matrix manual.

Sometimes the receiver is another forwarder, which is called an intermediate forwarder. To learn more about how intermediate forwarders work, see Configure an intermediate forwarder.

To enable to a receiver for the Splunk Cloud Platform, see Enable a receiver for the Splunk Cloud Platform.

Configure a receiver using Splunk Web

Use Splunk Web to configure a receiver:

  1. Log into Splunk Web as a user with the admin role.
  2. In Splunk Web, go to Settings > Forwarding and receiving.
  3. Select "Configure receiving."
  4. Verify if there are existing receiver ports open. You cannot create a duplicate receiver port. The conventional receiver port configured on indexers is port 9997.
  5. Optionally select "New Receiving Port."
  6. Add a port number and save.

Splunk Web is only available with Splunk Enterprise, not the universal forwarder.

Configure a receiver using the command line

Use the command line interface (CLI) to configure a receiver:

  1. Open a shell prompt
  2. Change the path to $SPLUNK_HOME/bin
  3. Type: splunk enable listen <port> -auth <username>:<password> .
  4. Restart Splunk software for the changes to take effect.
*nix example Windows example 
./splunk enable listen 9997 -auth admin:password
 
splunk enable listen 9997 -auth admin:password

Configure a receiver using a configuration file

Configure a receiver using the inputs.conf file:

  1. Open a shell prompt
  2. Change the path to $SPLUNK_HOME/etc/system/local.
  3. Edit the inputs.conf file.
  4. Create a [splunktcp] stanza and define the receiving port. Example: 
    [splunktcp://9997]
disabled = 0
  5. Save the file.
  6. Restart Splunk software for the changes to take effect.
Last modified on 21 March, 2024
Uninstall the universal forwarder   Enable a receiver for the Splunk Cloud Platform

This documentation applies to the following versions of Splunk® Universal Forwarder: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters