Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF


Important: You set up inputs on a forwarder the same way you set them up on a Splunk indexer. The only difference is that the forwarder does not include Splunk Web, so you must configure inputs with either the CLI or inputs.conf. Before setting up the inputs, you need to deploy and configure the forwarder, as this recipe describes.

You can use Splunk forwarders to send data to indexers, called receivers. This is usually the preferred way to get remote data into an indexer.

To use forwarders, specifically universal forwarders, for getting remote data, you need to set up a forwarder-receiver topology, as well as configure the data inputs:

1. Install the Splunk instances that will serve as receivers. See the Installation Manual for details.

2. Use Splunk Web or the CLI to enable receiving on the instances designated as receivers. See "Enable a receiver" in the Forwarding Data manual.

3. Install, configure, and deploy the forwarders. Depending on your forwarding needs, there are a number of best practices deployment scenarios. See "Universal forwarder deployment overview" in the Forwarding Data manual for details. Some of these scenarios allow you to configure the forwarder during the installation process.

4. Specify data inputs for each universal forwarder, if you have not already done so during installation. You do this the same way you would for any Splunk instance. As a starting point, see "What Splunk can index" in this manual for guidance on configuring the different types of data inputs.

Note: Since the universal forwarder does not include Splunk Web, you must configure inputs through either the CLI or inputs.conf; you cannot configure with Splunk Web.

5. Specify the fowarders' output configurations, if you have not already done so during installation. You do this through the CLI or by editing the outputs.conf file. You get the greatest flexibility by editing outputs.conf. For details, see the Forwarding Data manual, including "Configure forwarders with outputs.conf".

6. Test the results to confirm that forwarding, along with any configured behaviors like load balancing or filtering, is occurring as expected. Go to the receiver to search the resulting data.

For more information on forwarders, see the Forwarding Data manual, starting with "About forwarding and receiving". Also see "Use forwarders" in this manual.

Last modified on 23 October, 2014
Find more things to monitor with crawl
Files and directories - local

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters