Splunk® Enterprise

Forwarding Data

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Enable forwarding on a Splunk Enterprise instance

This topic lists the key steps involved in setting up heavy and light forwarders on full Splunk Enterprise instances, with links to more detailed topics. You must install a full Splunk Enterprise instance before enabling and configuring a heavy or light forwarder.

Note: This topic assumes that your receivers are indexers. However, in some scenarios, discussed elsewhere, a forwarder also serves as receiver. The set-up is basically much the same for any kind of receiver.

If you want to forward data across a proxy, see "Configure a forwarder to use a SOCKS proxy in this manual.

Set up forwarding and receiving: heavy or light forwarders

Note: The light forwarder has been deprecated in Splunk Enterprise version 6.0. For a list of all deprecated features, see the topic "Deprecated features" in the Release Notes.

1. Install the full Splunk Enterprise instances that will serve as forwarders and receivers. See the Installation Manual for details.

2. Use Splunk Web or the CLI to enable receiving on the instances designated as receivers. See "Enable a receiver" in this manual.

3. Use Splunk Web or the CLI to enable forwarding on the instances designated as forwarders. See Deploy a heavy forwarder" or "Deploy a light forwarder" in this manual.

4. Specify data inputs for the forwarders in the usual manner. See "What Splunk Enterprise can index" in the Getting Data In manual.

5. Specify the forwarders' output configurations - the receiver(s) that they should send data to. You can do so through Splunk Web, the CLI, or by editing the outputs.conf file. You get the greatest flexibility by editing outputs.conf. For details, see "Deploy a heavy or light forwarder", as well as the other topics in this section, including "Configure forwarders with outputs.conf."

6. On the receivers, search for data to confirm that forwarding, along with any configured behaviors like load balancing or routing, occurs as expected.

Last modified on 27 January, 2016
Supported CLI commands
Enable a receiver

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters