Splunk® Enterprise

Forwarding Data

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure an intermediate forwarder

This topic provides instructions on how to set up an intermediate forwarder tier.

As discussed in the "Forwarder deployment topologies" topic, intermediate forwarding is where a forwarder receives data from one or more forwarders and then sends that data on to another indexer. TheThis kind of setup is useful when, for example, you have many hosts in different geographical regions and you want to send data from those forwarders to a central host in that region before forwarding the data to an indexer. All forwarder types can act as an immediate forwarder.

To set up intermediate forwarding, configure the forwarder to both send and receive data.

Configure intermediate forwarding on a universal forwarder

To set up intermediate forwarding, you must first set up the intermediate forwarding tier. Then, direct additional forwarders to send data to this tier.

Set up the intermediate forwarding tier

To configure intermediate forwarding on a universal forwarder:

1. If you have not already, install the universal forwarder, as described in "Install the universal forwarder software." If you install the universal forwarder on Windows, you can specify the receiving indexer that the forwarder should send data to during the installation process.

2. Configure the forwarder to send data to the receiving indexer, as described in "Configure forwarders with outputs.conf."

3. Edit inputs.conf to configure the forwarder to receive data, as described in "Enable a receiver."

4. (Optional) Edit inputs.conf to configure any local data inputs on the forwarder.

5. Restart the forwarder, as described in "Start and stop Splunk Enterprise" in the Admin manual.

You can repeat these steps to add more forwarders to the tier.

Configure forwarders to use the intermediate forwarding tier

To set up additional forwarders to send their data to the intermediate forwarding tier:

1. If you have not already, install the universal forwarder.

2. Configure the forwarder to send data to the intermediate forwarder.

3. Configure local data inputs on the forwarder.

4. Restart the forwarder.

Test the configuration

To confirm that the intermediate tier works properly:

1. On the receiving indexer, sign into Splunk Enterprise.

2. Open the Search and Reporting app.

3. Run a search that contains a reference to one of the hosts that you configured to send data to the intermediate forwarder:

host=<name or ip address of forwarder> index=_internal

If you do not see events, then the host has not been configured properly. See "Troubleshoot forwarder/receiver connection" in this manual for possible fixes.

Configure intermediate forwarding on a heavy or light forwarder

To set up intermediate forwarding, you must first set up the intermediate forwarding tier. Then, direct additional forwarders to send data to this tier.

Set up the intermediate forwarding tier

To configure intermediate forwarding on a heavy or light forwarder:

1. If you have not already, install the full Splunk Enterprise instance, as described in "Installation instructions" in the Installation manual.

2. Use Splunk Web to configure the forwarder to send data to the receiving indexer, as described in "Enable forwarding on a Splunk Enterprise instance."

3. Use Splunk Web to enable receiving on the instance, as described in "Enable a receiver."

4. (Optional) Configure local data inputs on the forwarder. You can use Splunk Web or edit configuration files.

5. (Optional) If you want to reduce the resource footprint of the forwarder, configure the instance as a light forwarder.

Note: The light forwarder has been deprecated, and support for this feature could be removed in a future release.

6. Restart the instance.

Configure forwarders to use the intermediate forwarding tier

To set up additional forwarders to send their data to the intermediate forwarding tier:

1. If you have not already, install the universal or heavy forwarder.

2. Configure the forwarder to send data to the intermediate forwarder.

3. Configure local data inputs on the forwarder.

4. Restart the forwarder.

Test the configuration

To confirm that the intermediate tier works properly:

1. On the receiving indexer, sign into Splunk Enterprise.

2. Open the Search and Reporting app.

3. Run a search that contains a reference to one of the hosts that you configured to send data to the intermediate forwarder:

host=<name or ip address of forwarder> index=_internal

If you do not see events, then the host has not been configured properly. See "Troubleshoot forwarder/receiver connection" in this manual for possible fixes.

PREVIOUS
Configure a forwarder to use a SOCKS proxy
  NEXT
Protect against loss of in-flight data

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters