Splunk® Enterprise

Forwarding Data

Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the Splunk Enterprise page on help.splunk.com and the Splunk Enterprise 9.4.3 release notes. For information about how version selection works in the new portal, see Version selection on the About This Site page.

Enable a receiver

A receiver is a Splunk software instance that is configured to listen on a specific port for incoming communications from a forwarder.

In a typical Splunk Enterprise deployment, the receiver is an indexer or a cluster of indexers. Sometimes the receiver is another forwarder; this is known as an intermediate forwarder. To learn more about how intermediate forwarders work, see Intermediate forwarding. As a best practice, configure your the receivers before configuring the forwarders to send data.

A Splunk Cloud Platform instance receiving port is configured and enabled by default. It is not possible to configure receiving on a Splunk Cloud Platform instance using Splunk Web, editing a .conf file, or using the command line (CLI.)

Configuring the receiver settings directly on Splunk software instances is only recommended for a single instance deployment. To manage Splunk Enterprise configurations in a distributed environment, see About deployment server and forwarder management in the Updating Splunk Enterprise Instances manual.

Configure a receiver using Splunk Web

Use Splunk Web to configure a receiver:

  1. Log into Splunk Web as a user with the admin role.
  2. In Splunk Web, go to Settings > Forwarding and receiving.
  3. Select "Configure receiving."
  4. Verify if there are existing receiver ports open. You cannot create a duplicate receiver port. The conventional receiver port configured on indexers is port 9997.
  5. Select "New Receiving Port."
  6. Add a port number and save.

Splunk Web is only available with Splunk Enterprise, not the universal forwarder.

Caveats to configuring a receiver using Splunk Web

When you enable a receiver using Splunk Web, the receiver defines the host name that it extracts from forwarders that connect as the network IP address for the forwarder by default. This means that if a connecting forwarder either does not explicitly define a host name, or the host name that the receiver extracts from the forwarder contains the word "localhost", the receiver replaces the host value for that forwarder with the forwarder IP address, and that IP address will subsequently appear in the data as the name of the host that connected.

The 'connection_host' setting is what determines this behavior. You can change the behavior by doing one of the following:

  1. On the forwarder, edit the inputs.conf file to set a specific host name for the forwarder.
  2. On the receiver, edit the inputs.conf file to configure the 'connection_host' setting to either the "dns" value to have the receiver use reverse DNS to determine the connecting forwarder's name, or "none" to have it rely completely on the settings on the forwarder to determine the name.

For more details on the 'connection_host' setting, see the inputs.conf configuration specification.

Configure a receiver using the command line

Use the command line interface (CLI) to configure a receiver:

  1. Open a shell prompt
  2. Change the path to $SPLUNK_HOME/bin
  3. Type: splunk enable listen <port> -auth <username>:<password> .
  4. Restart Splunk software for the changes to take effect.
*nix example Windows example 
./splunk enable listen 9997 -auth admin:password
 
splunk enable listen 9997 -auth admin:password

Configure a receiver using a configuration file

Configure a receiver using the inputs.conf file:

  1. Open a shell prompt
  2. Change the path to $SPLUNK_HOME/etc/system/local.
  3. Edit the inputs.conf file.
  4. Create a [splunktcp] stanza and define the receiving port. Example: 
    [splunktcp://9997]
disabled = 0
  5. Save the file.
  6. Restart Splunk software for the changes to take effect.

The forms [splunktcp://9997] and [splunktcp://:9997] (one colon or two) are semantically equivalent. You can use either one.

Last modified on 01 April, 2025
Heavy and light forwarder capabilities   Deploy a heavy forwarder

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters