Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Forward data

This topic explains the "Select Forwarders" page that Splunk Enterprise loads when you click the "Forward" button on the "Add data" page.

Important: Only use this page if you have a single instance of Splunk Enterprise acting as an indexer and deployment server. If you have multiple servers that perform indexing, see "About deployment server and forwarder management" in the Updating Splunk Enterprise Instances manual.

The "Select Forwarders" page

When you access the "Forward" page, Splunk Enterprise presents you with the following:

62 SelectSource Forward.png

The page lets you define server classes and add forwarders to those classes in order to receive data from them.

This page only displays forwarders that you have already configured to forward data and act as deployment clients to this instance. If you have not configured any forwarders, the page warns you of this.

For a forwarder to appear in the list, the following must happen:

  • You must configure the forwarder as a deployment client. This means that a deployment server can manage the configurations for the forwarder. See "Configure deployment clients" in the Updating Splunk Enterprise Instances manual.
  • The forwarder must make a successful connection to the deployment server.

Once you see the forwarder in the list, you can configure it to add data:

1. In Select Server Class, click one of the options shown:

  • New If you have not defined any server classes, you want to create a new server class for any reason, or if an existing server class does not match the group of forwarders that you want to configure an input for.
  • Existing if you want to use an existing server class.

2. In the Available host(s) pane, choose the forwarders that you want this instance to receive data from. The forwarders move from the Available host(s) pane to the Selected host(s) pane. You can add all of the hosts by clicking the add all link, or remove all hosts by selecting the remove all link.

Important: Hosts you add to a server class must contain hosts of a certain platform. You cannot, for example, put Windows and *nix hosts in the same server class.

3a. If you chose New in "Select server class", enter a unique name for the server class that you will remember.

3b. If you chose Existing, select the server class you want from the drop-down list.

4. Click the green Next button on the upper right to proceed to the next step in the "Add data" process.

Splunk Enterprise loads the "Select Source" page and shows source types that are valid for the forwarders that you have selected.

5. Select the data sources that you want the forwarders to send data to this instance. See "Monitor data."

6. Click the green Next button to proceed to the next step in the Add data process.

Last modified on 22 April, 2015
Monitor data
The "Set Sourcetype" page

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters