Splunk® Enterprise

Distributed Deployment Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Heavy and light forwarder capabilities

Certain capabilities are disabled in heavy and light forwarders. This section describes forwarder capabilities in detail.

Splunk heavy forwarder details

The heavy forwarder has all Splunk functions and modules enabled by default, with the exception of the distributed search module. The file $SPLUNK_HOME/etc/apps/SplunkForwarder/default/default-mode.conf includes this stanza:

[pipeline:distributedSearch]
disabled = true

For a detailed view of the exact configuration, see the configuration files for the SplunkForwarder application in $SPLUNK_HOME/etc/apps/SplunkForwarder/default.

Splunk light forwarder details

Most features of Splunk are disabled in the Splunk light forwarder. Specifically, the Splunk light forwarder:

  • Disables event signing and checking whether the disk is full ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf).
  • Limits internal data inputs to splunkd and metrics logs only, and makes sure these are forwarded ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/inputs.conf).
  • Disables all indexing ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/indexes.conf).
  • Does not use transforms.conf and does not fully parse incoming data, but the CHARSET, CHECK_FOR_HEADER, NO_BINARY_CHECK, PREFIX_SOURCETYPE, and sourcetype properties from props.conf are used.
  • Disables the Splunk Web interface ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/web.conf ).
  • Limits throughput to 256KBps ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/limits.conf).
  • Disables the following modules in $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf:
      [pipeline:indexerPipe]
      disabled_processors= indexandforward, diskusage, signing,tcp-output-generic-processor, syslog-output-generic-processor, http-output-generic-processor, stream-output-processor

      [pipeline:distributedDeployment]
      disabled = true

      [pipeline:distributedSearch]
      disabled = true

      [pipeline:fifo]
      disabled = true

      [pipeline:merging]
      disabled = true

      [pipeline:typing]
      disabled = true

      [pipeline:udp]
      disabled = true

      [pipeline:tcp]
      disabled = true

      [pipeline:syslogfifo]
      disabled = true

      [pipeline:syslogudp]
      disabled = true

      [pipeline:parsing]
      disabled_processors=utf8, linebreaker, header, sendOut

      [pipeline:scheduler]
      disabled_processors = LiveSplunks 

These modules include the deployment server (not the deployment client), distributed search, named pipes/FIFOs, direct input from network ports, and the scheduler.

The defaults for the light forwarder can be tuned to meet your needs by overriding the settings in $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf on a case-by-case basis.

Purge old indexes

When you convert a Splunk indexer instance to a light forwarder, among other things, you disable indexing. In addition, you no longer have access to any data previously indexed on that instance. However, the data still exists.

If you want to purge that data from your system, you must first disable the SplunkLightForwarder app, then run the CLI clean command, and then renable the app. For information on the clean command, see "Remove indexed data from Splunk" in the Managing Indexers and Clusters manual.

PREVIOUS
Deploy a heavy or light forwarder
  NEXT
About distributed search

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

i have to get inputs from syslog server installed on a windows machine to the splunk indexer. can i use splunk forwarded for that ?

ACNmateen
September 3, 2013

The only really useful thing to do is to enable input processors that we turned off for the lighter forwarder configurations.<br /><br />Essentially reversing the decisions expressed in SplunkUniversalForwarder/default/default-mode.conf that turn of eg udp or tcp as Yann references is useful. Any more than that is probably not useful. <br /><br />Rearranging pipelines, disabling processors, etc is all not supported, and will be removed in a future version.

Jrodman, Splunker
May 30, 2013

Yoho: There is a very brief spec file here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Default-modeconf. The reason that the spec file is so brief is because it is unusual (and conceivably dangerous - see below), to edit the default-mode.conf file at all. (See Ykherian's earlier comment for an example of how to edit them to turn on network inputs.)<br /><br />The default-mode.conf file disables pipelines and processors that are in most cases essential for the proper functioning of Splunk. In the case of the light and heavy forwarder apps, these pipelines are disabled to reduce the footprints of these special-purpose components. <br /><br />If you feel you need to change these settings, either for forwarders or full Splunk, please contact Support before doing so.

Sgoodman, Splunker
May 29, 2013

Unfortunately, default-mode.conf is only mentioned on this page, there is no documentation on Splunk website. There is also no useful .spec or .example file in $SPLUNK_HOME/etc/system/README directory. Could something be done about it ?

Yoho
May 29, 2013

example to turn on UDF and TCP inputs on a lightweight or universal forwarder,<br /><br />add in $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/local/default-mode.conf<br />or add $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf<br /><br />[pipeline:udp]<br />disabled = false<br /><br />[pipeline:tcp]<br />disabled = false

Ykherian, Splunker
December 17, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters