Enable forwarding on a Splunk Enterprise instance
This topic lists the key steps involved in setting up heavy and light forwarders on full Splunk Enterprise instances, with links to more detailed topics. You must install a full Splunk Enterprise instance before enabling and configuring a heavy or light forwarder.
Note: This topic assumes that your receivers are indexers. However, in some scenarios, discussed elsewhere, a forwarder also serves as receiver. The set-up is basically much the same for any kind of receiver.
If you want to forward data across a proxy, see "Configure a forwarder to use a SOCKS proxy in this manual.
Set up forwarding and receiving: heavy or light forwarders
Note: The light forwarder has been deprecated in Splunk Enterprise version 6.0. For a list of all deprecated features, see the topic "Deprecated features" in the Release Notes.
1. Install the full Splunk Enterprise instances that will serve as forwarders and receivers. See the Installation Manual for details.
2. Use Splunk Web or the CLI to enable receiving on the instances designated as receivers. See "Enable a receiver" in this manual.
4. Specify data inputs for the forwarders in the usual manner. See "What Splunk Enterprise can index" in the Getting Data In manual.
5. Specify the forwarders' output configurations - the receiver(s) that they should send data to. You can do so through Splunk Web, the CLI, or by editing the
outputs.conf file. You get the greatest flexibility by editing
outputs.conf. For details, see "Deploy a heavy or light forwarder", as well as the other topics in this section, including "Configure forwarders with outputs.conf."
6. On the receivers, search for data to confirm that forwarding, along with any configured behaviors like load balancing or routing, occurs as expected.
Supported CLI commands
Enable a receiver
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14