
Heavy and light forwarder capabilities
Certain capabilities are disabled in heavy and light forwarders. This section describes forwarder capabilities in detail.
Note: The light forwarder has been deprecated in Splunk Enterprise version 6.0. For a list of all deprecated features, see the topic "Deprecated features" in the Release Notes.
Heavy forwarder details
The heavy forwarder has all Splunk Enterprise functions and modules enabled by default, with the exception of the distributed search module. The file $SPLUNK_HOME/etc/apps/SplunkForwarder/default/default-mode.conf
includes this stanza:
[pipeline:distributedSearch] disabled = true
For a detailed view of the exact configuration, see the configuration files for the SplunkForwarder application in $SPLUNK_HOME/etc/apps/SplunkForwarder/default
.
Light forwarder details
Most features of Splunk Enterprise are disabled in the light forwarder. Specifically, the light forwarder:
- Disables event signing and checking whether the disk is full (
$SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf
). - Limits internal data inputs to
splunkd
and metrics logs only ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/inputs.conf
). - Disables all indexing (
$SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/indexes.conf
). - Does not use
transforms.conf
and does not fully parse incoming data, but theCHARSET, CHECK_FOR_HEADER, NO_BINARY_CHECK, PREFIX_SOURCETYPE,
andsourcetype
properties fromprops.conf
are used. - Disables the Splunk Web interface (
$SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/web.conf
). - Limits throughput to 256KBps (
$SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/limits.conf
). - Disables the following modules in
$SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf
:
[pipeline:indexerPipe] disabled_processors= indexandforward, diskusage, signing,tcp-output-generic-processor, syslog-output-generic-processor, http-output-generic-processor, stream-output-processor [pipeline:distributedDeployment] disabled = true [pipeline:distributedSearch] disabled = true [pipeline:fifo] disabled = true [pipeline:merging] disabled = true [pipeline:typing] disabled = true [pipeline:udp] disabled = true [pipeline:tcp] disabled = true [pipeline:syslogfifo] disabled = true [pipeline:syslogudp] disabled = true [pipeline:parsing] disabled_processors=utf8, linebreaker, header, sendOut [pipeline:scheduler] disabled_processors = LiveSplunks
These modules include the deployment server (not the deployment client), distributed search, named pipes/FIFOs, direct input from network ports, and the scheduler.
The defaults for the light forwarder can be tuned to meet your needs by overriding the settings in $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf
on a case-by-case basis.
Purge old indexes
When you convert an indexer instance to a light forwarder, among other things, you disable indexing. In addition, you no longer have access to any data previously indexed on that instance. However, the data still exists.
If you want to purge that data from your system, you must first disable the SplunkLightForwarder app, then run the CLI clean
command, and then renable the app. For information on the clean
command, see "Remove indexed data from Splunk" in the Managing Indexers and Clusters of Indexers manual.
Considerations for forwarding structured data
Note: When you forward structured data (data with source types that use the INDEXED_EXTRACTIONS
feature) you must perform any parsing, extraction, or filtering changes on the forwarder, not the indexer. See Forward data extracted from header files" in the Getting Data In manual.
PREVIOUS Deploy a light forwarder |
NEXT Upgrade the Windows universal forwarder |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14
Feedback submitted, thanks!