
Configure an intermediate forwarder
This topic provides instructions on how to set up an intermediate forwarder tier.
As discussed in the "Forwarder deployment topologies" topic, intermediate forwarding is where a forwarder receives data from one or more forwarders and then sends that data on to another indexer. TheThis kind of setup is useful when, for example, you have many hosts in different geographical regions and you want to send data from those forwarders to a central host in that region before forwarding the data to an indexer. All forwarder types can act as an immediate forwarder.
To set up intermediate forwarding, configure the forwarder to both send and receive data.
Configure intermediate forwarding on a universal forwarder
To set up intermediate forwarding, you must first set up the intermediate forwarding tier. Then, direct additional forwarders to send data to this tier.
Set up the intermediate forwarding tier
To configure intermediate forwarding on a universal forwarder:
1. If you have not already, install the universal forwarder, as described in "Install the universal forwarder software." If you install the universal forwarder on Windows, you can specify the receiving indexer that the forwarder should send data to during the installation process.
2. Configure the forwarder to send data to the receiving indexer, as described in "Configure forwarders with outputs.conf."
3. Edit inputs.conf
to configure the forwarder to receive data, as described in "Enable a receiver."
4. (Optional) Edit inputs.conf
to configure any local data inputs on the forwarder.
5. Restart the forwarder, as described in "Start and stop Splunk Enterprise" in the Admin manual.
You can repeat these steps to add more forwarders to the tier.
Configure forwarders to use the intermediate forwarding tier
To set up additional forwarders to send their data to the intermediate forwarding tier:
1. If you have not already, install the universal forwarder.
2. Configure the forwarder to send data to the intermediate forwarder.
3. Configure local data inputs on the forwarder.
4. Restart the forwarder.
Test the configuration
To confirm that the intermediate tier works properly:
1. On the receiving indexer, sign into Splunk Enterprise.
2. Open the Search and Reporting app.
3. Run a search that contains a reference to one of the hosts that you configured to send data to the intermediate forwarder:
host=<name or ip address of forwarder> index=_internal
If you do not see events, then the host has not been configured properly. See "Troubleshoot forwarder/receiver connection" in this manual for possible fixes.
Configure intermediate forwarding on a heavy or light forwarder
To set up intermediate forwarding, you must first set up the intermediate forwarding tier. Then, direct additional forwarders to send data to this tier.
Set up the intermediate forwarding tier
To configure intermediate forwarding on a heavy or light forwarder:
1. If you have not already, install the full Splunk Enterprise instance, as described in "Installation instructions" in the Installation manual.
2. Use Splunk Web to configure the forwarder to send data to the receiving indexer, as described in "Enable forwarding on a Splunk Enterprise instance."
3. Use Splunk Web to enable receiving on the instance, as described in "Enable a receiver."
4. (Optional) Configure local data inputs on the forwarder. You can use Splunk Web or edit configuration files.
5. (Optional) If you want to reduce the resource footprint of the forwarder, configure the instance as a light forwarder.
Note: The light forwarder has been deprecated, and support for this feature could be removed in a future release.
6. Restart the instance.
Configure forwarders to use the intermediate forwarding tier
To set up additional forwarders to send their data to the intermediate forwarding tier:
1. If you have not already, install the universal or heavy forwarder.
2. Configure the forwarder to send data to the intermediate forwarder.
3. Configure local data inputs on the forwarder.
4. Restart the forwarder.
Test the configuration
To confirm that the intermediate tier works properly:
1. On the receiving indexer, sign into Splunk Enterprise.
2. Open the Search and Reporting app.
3. Run a search that contains a reference to one of the hosts that you configured to send data to the intermediate forwarder:
host=<name or ip address of forwarder> index=_internal
If you do not see events, then the host has not been configured properly. See "Troubleshoot forwarder/receiver connection" in this manual for possible fixes.
PREVIOUS Configure a forwarder to use a SOCKS proxy |
NEXT Protect against loss of in-flight data |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14
Feedback submitted, thanks!