Consolidate data from multiple machines
One of the most common forwarding use cases is to consolidate data originating across numerous machines. Forwarders located on the machines forward the data to a central Splunk Enterprise indexer. With their small footprint, universal forwarders ordinarily have little impact on their machines' performance. This diagram illustrates a common scenario, where universal forwarders residing on machines running diverse operating systems send data to a single Splunk Enterprise instance, which indexes and provides search capabilities across all the data:
The diagram illustrates a small deployment. In practice, the number of universal forwarders in a data consolidation use case could number upwards into the thousands.
This type of use case is simple to configure:
1. Determine what data, originating from which machines, you need to access.
2. Install a Splunk Enterprise instance, typically on its own machine. This instance will function as the receiver. All indexing and searching will occur on it.
3. Enable the instance as a receiver through Splunk Web or the CLI. Using the CLI, enter this command from
./splunk enable listen <port> -auth <username>:<password>
<port>, substitute the port you want the receiver to listen on. This also known as the "receiver port".
4. If any of the universal forwarders will be running on a different operating system from the receiver, install the app for the forwarder's OS on the receiver. For example, assume the receiver in the diagram above is running on a Linux box. In that case, you'll need to install the Windows app on the receiver. You might need to install the *nix app, as well. -- However, since the receiver is on Linux, you probably have already installed that app. Details and provisos regarding this can be found here.
After you have downloaded the relevant app, remove its
inputs.conf file before enabling it, to ensure that its default inputs are not added to your indexer. For the Windows app, the location is:
5. Install universal forwarders on each machine that will be generating data. These will forward the data to the receiver.
6. Set up inputs for each forwarder. See "What Splunk Enterprise can index".
7. Configure each forwarder to forward data to the receiver. For Windows forwarders, you can do this at installation time, as described here. For *nix forwarders, you must do this through the CLI:
./splunk add forward-server <host>:<port> -auth <username>:<password>
<host>:<port>, substitute the host and receiver port number of the receiver. For example,
Alternatively, if you have many forwarders, you can use an
outputs.conf file to specify the receiver. For example:
[tcpout:my_indexers] server= splunk_indexer.acme.com:9995
You can create this file once, then distribute copies of it to each forwarder.
Install the universal forwarder software
Migrate from a light forwarder
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0