Splunk® Enterprise

Forwarding Data

Acrobat logo Download manual as PDF


Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Enable a receiver

A Splunk instance receives data from a forwarder when you enable receiving on it.

To enable forwarding and receiving, you configure both a receiver and a forwarder. The receiver is the Splunk instance that receives the data; the forwarder sends the data to the receiver.

In many cases, the receiver is a Splunk indexer or cluster of indexers. It can also be another forwarder, called an intermediate forwarder. To learn more about how intermediate forwarders work, see Intermediate forwarding.)

A forwarder can send data to multiple receivers. Conversely, a receiving indexer can accept data from multiple forwarders. How you set up forwarders and receivers depends on where your data is and where you need it to go.

A Splunk best practice is to set up receivers first, then set up forwarders to send data to those receivers.

Set up receiving

Before you enable a Splunk instance (either an indexer or a forwarder) as a receiver, you must install it. You can then enable receiving on the instance with Splunk Web, the CLI, or the inputs.conf configuration file.

Set up receiving with Splunk Web

Use Splunk Web to set up a receiver:

  1. Log into the receiver as admin or an administrative equivalent.
  2. Click Settings > Forwarding and receiving.
  3. At Configure receiving, click Add new.
  4. Specify the TCP port you want the receiver to listen on (the listening port, also known as the receiving port). For example, if you enter "9997," the receiver listens for connections from forwarders on port 9997. You can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.
  5. Click Save. Splunk software starts listening for incoming data on the port you specified.


Set up receiving with Splunk CLI

  1. From a shell or command prompt, change to the $SPLUNK_HOME/bin directory: 
    cd $SPLUNK_HOME/bin
  2. Run the CLI command to enable receiving: 
    splunk enable listen <port> -auth <username>:<password>

For <port>, substitute the port you want the receiver to listen on (the receiving port). For example, if you enter "9997," the receiver will receive data on port 9997. You can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.

The splunk enable listen command creates a [splunktcp] stanza in inputs.conf. For example, if you set the port to "9997", it creates the stanza [splunktcp://9997].

Set up receiving with configuration files

You can enable receiving on your Splunk Enterprise instance by configuring inputs.conf in $SPLUNK_HOME/etc/system/local. You might need to create this file if it does not exist.

  1. With a text editor, open inputs.conf in $SPLUNK_HOME/etc/system/local.
  2. Add a [splunktcp] stanza that specifies the receiving port. In this example, the receiving port is 9997: 
    [splunktcp://9997]
disabled = 0
  3. Restart Splunk software for the changes to take effect.

The forms [splunktcp://9997] and [splunktcp://:9997] (one colon or two) are semantically equivalent. Use either one.

Last modified on 14 January, 2021
PREVIOUS
Heavy and light forwarder capabilities 		  NEXT
Deploy a heavy forwarder

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters