Heavy and light forwarder capabilities

Certain capabilities are disabled in heavy and light forwarders. This section describes forwarder capabilities in detail.

Note: The light forwarder has been deprecated in Splunk Enterprise version 6.0. For a list of all deprecated features, see the topic "Deprecated features" in the Release Notes.

Heavy forwarder details

The heavy forwarder has all Splunk Enterprise functions and modules enabled by default, with the exception of the distributed search module. The file $SPLUNK_HOME/etc/apps/SplunkForwarder/default/default-mode.conf includes this stanza:

[pipeline:distributedSearch]
disabled = true

For a detailed view of the exact configuration, see the configuration files for the SplunkForwarder application in $SPLUNK_HOME/etc/apps/SplunkForwarder/default.

Light forwarder details

Most features of Splunk Enterprise are disabled in the light forwarder. Specifically, the light forwarder:

• Disables event signing and checking whether the disk is full ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf).
• Limits internal data inputs to splunkd and metrics logs only ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/inputs.conf).
• Disables all indexing ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/indexes.conf).
• Does not use transforms.conf and does not fully parse incoming data, but the CHARSET, CHECK_FOR_HEADER, NO_BINARY_CHECK, PREFIX_SOURCETYPE, and sourcetype properties from props.conf are used.
• Disables the Splunk Web interface ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/web.conf ).
• Limits throughput to 256KBps ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/limits.conf).
• Disables the following modules in $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf:

      [pipeline:indexerPipe]
      disabled_processors= indexandforward, diskusage, signing,tcp-output-generic-processor, syslog-output-generic-processor, http-output-generic-processor, stream-output-processor

      [pipeline:distributedDeployment]
      disabled = true

      [pipeline:distributedSearch]
      disabled = true

      [pipeline:fifo]
      disabled = true

      [pipeline:merging]
      disabled = true

      [pipeline:typing]
      disabled = true

      [pipeline:udp]
      disabled = true

      [pipeline:tcp]
      disabled = true

      [pipeline:syslogfifo]
      disabled = true

      [pipeline:syslogudp]
      disabled = true

      [pipeline:parsing]
      disabled_processors=utf8, linebreaker, header, sendOut

      [pipeline:scheduler]
      disabled_processors = LiveSplunks 

These modules include the deployment server (not the deployment client), distributed search, named pipes/FIFOs, direct input from network ports, and the scheduler.

The defaults for the light forwarder can be tuned to meet your needs by overriding the settings in $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf on a case-by-case basis.

Purge old indexes

When you convert an indexer instance to a light forwarder, among other things, you disable indexing. In addition, you no longer have access to any data previously indexed on that instance. However, the data still exists.

If you want to purge that data from your system, you must first disable the SplunkLightForwarder app, then run the CLI clean command, and then renable the app. For information on the clean command, see "Remove indexed data from Splunk" in the Managing Indexers and Clusters of Indexers manual.

Considerations for forwarding structured data

Note: When you forward structured data (data with source types that use the INDEXED_EXTRACTIONS feature) you must perform any parsing, extraction, or filtering changes on the forwarder, not the indexer. See Forward data extracted from header files" in the Getting Data In manual.