Splunk® Enterprise

Forwarding Data

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About forwarding and receiving

You can forward data from one Splunk Enterprise instance to another Splunk Enterprise instance or even to a non-Splunk system. The Splunk Enterprise instance that performs the forwarding is typically a smaller footprint version of Splunk Enterprise, called a forwarder.

A Splunk Enterprise instance that receives data from one or more forwarders is called a receiver. The receiver is usually a Splunk Enterprise indexer, but can also be another forwarder.

Sample forwarding layout

This diagram shows three forwarders sending data to a single receiver (an indexer), which then indexes the data and makes it available for searching:

30 admin13 forwardreceive-dataforward 60.png

Forwarders represent a much more robust solution for data forwarding than raw network feeds, with their capabilities for:

  • Tagging of metadata (source, source type, and host)
  • Configurable buffering
  • Data compression
  • SSL security
  • Use of any available network ports

The forwarding and receiving capability makes possible all sorts of interesting Splunk Enterprise topologies to handle functions like data consolidation, load balancing, and data routing.

Learn more about forwarding and receiving

  NEXT
Types of forwarders

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters