Splunk® Enterprise

Getting Data In

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Use forwarders to get data in

Forwarders are Splunk Enterprise instances that consume data and forward it on to Splunk Enterprise indexers for processing. They require minimal resources and have little impact on performance, so they can usually reside on the machines where the data originates.

For example, if you have a number of Apache Web servers generating data that you want to search centrally, you can install a Splunk Enterprise indexer and then set up forwarders on the Apache machines. The forwarders take the Apache data and send it on to the indexer, which then consolidates, stores, and makes it available for searching. Because of their light footprint, the forwarders have minimum performance impact on the Apache servers.

Similarly, you can install forwarders on your employees' Windows desktops. These can send logs and other data to a central Splunk Enterprise instance, where you can view the data as a whole to track malware or other issues.

What forwarders do

You can use forwarders to get data from remote machines. They represent a more robust solution than raw network feeds, with their capabilities for the following actions:

  • Tagging of metadata (source, sourcetype, and host)
  • Configurable buffering
  • Data compression
  • SSL security
  • Use of any available network ports
  • Running scripted inputs locally

Forwarders consume data in the same way as any other Splunk Enterprise instance. They can handle exactly the same types of data as an indexer. The difference is that forwarders usually do not index the data themselves. Instead, they get the data and send it on to an indexer, which does the indexing and searching. A single indexer can process data coming from many forwarders. For detailed information on forwarders, see the Fowarding Data manual.

In most Splunk Enterprise deployments, forwarders serve as the primary consumers of data. It is only in single-machine deployments that the indexer might also be the main data consumer. In a large Splunk Enterprise deployment, you might have hundreds or even thousands of forwarders consuming data and forwarding it on to a group of indexers for consolidation.

How to configure forwarder inputs

As lightweight instances of Splunk Enterprise, forwarders have limited capabilities by design. For example, most forwarders do not include Splunk Web, which means no interface is available to set up data inputs. Here are the main ways that you can configure data inputs on a forwarder:

  • Specify inputs during initial deployment.
  • For Windows forwarders, specify common inputs during the installation process itself.
  • For *nix forwarders, you can specify inputs directly after installation.
  • Use the CLI.
  • Edit inputs.conf.
  • Deploy an app that contains the inputs you want.
  • Use Splunk Web on a full Splunk Enteprise test instance to configure the inputs and distribute the resulting inputs.conf file to the forwarder itself.

Forwarder Topologies and Deployments

For information on forwarders, including use cases, typical topologies, and configurations, see "About forwarding and receiving" in the Forwarding Data manual.

For details on forwarder deployment, including how to use the deployment server to simplify distribution of configuration files and apps to multiple forwarders, see "Universal forwarder deployment overview" in the Forwarding Data manual.

Last modified on 19 February, 2016
Is my data local or remote?
Use apps and add-ons to get data in

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters