Splunk® Enterprise

Forwarding Data

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Set up forwarding and receiving

Once you've determined your forwarder deployment topology and what type of forwarder is necessary to implement it, the steps for setting up forwarding and receiving are straightforward. This topic outlines the key steps and provides links to the detailed topics.

To set up forwarding and receiving, you need to perform two basic actions, in this order:

1. Set up one or more Splunk Enterprise indexers as receivers. These will receive the data from the forwarders.

2. Set up one or more forwarders. These will forward data to the receivers.

The remainder of this topic lists the key steps involved, with links to more detailed topics. The procedures vary somewhat according to whether the forwarder is a universal forwarder or a heavy/light forwarder. Universal forwarders can sometimes be installed and configured in a single step. Heavy/light forwarders are first installed as full Splunk Enterprise instances and then configured as forwarders.

Note: This topic assumes that your receivers are indexers. However, in some scenarios, discussed elsewhere, a forwarder also serves as receiver. The set-up is basically much the same for any kind of receiver.

Note: You cannot forward data across a proxy, because the communication between forwarder and receiver does not use the HTTP protocol.

Forwarders and indexer clusters

When using forwarders to send data to peer nodes in an indexer cluster, you set up forwarding and receiving a bit differently from the description in this topic. To learn more about forwarders and clusters, read "Use forwarders to get your data" in the Managing Indexers and Clusters of Indexers manual.

Set up forwarding and receiving: universal forwarders

1. Install the full Splunk Enterprise instances that will serve as receivers. See the Installation Manual for details.

2. Use Splunk Web or the CLI to enable receiving on the instances designated as receivers. See "Enable a receiver" in this manual.

3. Install, configure, and deploy the universal forwarders. Depending on your forwarding needs, there are a number of best practices deployment scenarios. See "Universal forwarder deployment overview" for details. Some of these scenarios allow you to configure the forwarder during the installation process.

4. If you have not already done so during installation, you must specify data inputs for each universal forwarder. See "What Splunk Enterprise can index" in the Getting Data In manual.

Note: Since the universal forwarder does not include Splunk Web, you must configure inputs through either the CLI or inputs.conf; you cannot configure them in Splunk Web.

5. If you have not already done so during installation, you must specify the universal forwarders' output configurations. You can do so through the CLI or by editing the outputs.conf file. You get the greatest flexibility by editing outputs.conf. For details, see the other topics in this section, including "Configure forwarders with outputs.conf".

6. Test the results to confirm that forwarding, along with any configured behaviors like load balancing or filtering, is occurring as expected.

Set up forwarding and receiving: heavy or light forwarders

Note: The light forwarder has been deprecated in Splunk Enterprise version 6.0. For a list of all deprecated features, see the topic "Deprecated features" in the Release Notes.

1. Install the full Splunk Enterprise instances that will serve as forwarders and receivers. See the Installation Manual for details.

2. Use Splunk Web or the CLI to enable receiving on the instances designated as receivers. See "Enable a receiver" in this manual.

3. Use Splunk Web or the CLI to enable forwarding on the instances designated as forwarders. See "Deploy a heavy or light forwarder" in this manual.

4. Specify data inputs for the forwarders in the usual manner. See "What Splunk Enterprise can index" in the Getting Data In manual.

5. Specify the forwarders' output configurations. You can do so through Splunk Web, the CLI, or by editing the outputs.conf file. You get the greatest flexibility by editing outputs.conf. For details, see "Deploy a heavy or light forwarder", as well as the other topics in this section, including "Configure forwarders with outputs.conf".

6. Test the results to confirm that forwarding, along with any configured behaviors like load balancing or routing, is occurring as expected.

Manage your forwarders

In environments with multiple forwarders, you might find it helpful to use the deployment server to update and manage your forwarders. See "About deployment server" in the Updating Splunk Enterprise Instances manual.

To view the status of your forwarders, you can use the deployment monitor.

PREVIOUS
Forwarder deployment topologies
  NEXT
Compatibility between forwarders and indexers

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters