
Enable a receiver
A Splunk instance receives data from a forwarder when you enable receiving on it.
To enable forwarding and receiving, you configure both a receiver and a forwarder. The receiver is the Splunk instance that receives the data; the forwarder sends the data to the receiver.
In many cases, the receiver is a Splunk indexer or cluster of indexers. It can also be another forwarder, called an intermediate forwarder. To learn more about how intermediate forwarders work, see Intermediate forwarding.)
A forwarder can send data to multiple receivers. Conversely, a receiving indexer can accept data from multiple forwarders. How you set up forwarders and receivers depends on where your data is and where you need it to go.
A Splunk best practice is to set up receivers first, then set up forwarders to send data to those receivers.
Set up receiving
Before you enable a Splunk instance (either an indexer or a forwarder) as a receiver, you must install it. You can then enable receiving on the instance with Splunk Web, the CLI, or the inputs.conf configuration file.
Set up receiving with Splunk Web
Use Splunk Web to set up a receiver:
- Log into the receiver as admin or an administrative equivalent.
- Click Settings > Forwarding and receiving.
- At Configure receiving, click Add new.
- Specify the TCP port you want the receiver to listen on (the listening port, also known as the receiving port).
For example, if you enter "9997," the receiver listens for connections from forwarders on port 9997. You can specify any unused port. You can use a tool like
netstat
to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd. - Click Save. Splunk software starts listening for incoming data on the port you specified.
Set up receiving with Splunk CLI
- From a shell or command prompt, change to the
$SPLUNK_HOME/bin
directory:cd $SPLUNK_HOME/bin
- Run the CLI command to enable receiving:
splunk enable listen <port> -auth <username>:<password>
For <port>
, substitute the port you want the receiver to listen on (the receiving port). For example, if you enter "9997," the receiver will receive data on port 9997. You can specify any unused port. You can use a tool like netstat
to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.
The splunk enable listen
command creates a [splunktcp]
stanza in inputs.conf
. For example, if you set the port to "9997", it creates the stanza [splunktcp://9997]
.
Set up receiving with configuration files
You can enable receiving on your Splunk Enterprise instance by configuring inputs.conf
in $SPLUNK_HOME/etc/system/local
. You might need to create this file if it does not exist.
- With a text editor, open
inputs.conf
in$SPLUNK_HOME/etc/system/local
. - Add a
[splunktcp]
stanza that specifies the receiving port. In this example, the receiving port is 9997:[splunktcp://9997] disabled = 0
- Restart Splunk software for the changes to take effect.
The forms [splunktcp://9997]
and [splunktcp://:9997]
(one colon or two) are semantically equivalent. Use either one.
PREVIOUS Heavy and light forwarder capabilities |
NEXT Deploy a heavy forwarder |
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 8.0.0, 7.3.3, 8.0.1
Comments
Hi,
Does Splunk forwarder supports write data to Kinesis?
Hi Arpitjain1706,
Technically, yes. Splunk heavy and light forwarders can send data to any third party system.
The key is how that data gets transported to Kinesis. You would likely need to write a script or build a program that acts as a Kinesis producer using the Amazon Kinesis producer libraries or the associated API. The script would have to accept the data that you're collecting with your forwarder as input, then produce Kinesis-compatible records to inject into the Kinesis stream.
For further information, check out the following link: http://docs.aws.amazon.com/streams/latest/dev/building-producers.html
If you have any questions, feel free to post another comment.