Splunk® Enterprise

Forwarding Data

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Enable forwarding on a Splunk Enterprise instance

You can set up heavy and light forwarders on full Splunk Enterprise instances. To learn how to configure a universal forwarder to send data, see "Find additional information about the universal forwarder in the Universal Forwarder manual" later in this topic. The process is different on a universal forwarder.

Set up forwarding and receiving: heavy or light forwarders

For instructions on how to enable receiving on a Splunk Enterprise instance, see Enable a receiver. If you do not see data on the indexers after you enable forwarding and receiving, see Troubleshoot forwarder/receiver connection.

  1. Designate hosts that will act as forwarders and receivers.
  2. Install Splunk Enterprise on all of these hosts.
  3. On each receiver, use Splunk Web or the CLI to enable receiving.
  4. On each forwarder, use Splunk Web or the CLI to enable forwarding. See Deploy a heavy forwarder or Deploy a light forwarder.
  5. On each forwarder, use Splunk Web or the CLI, or edit inputs.conf to specify data inputs.
  6. On each forwarder, use Splunk Web or the CLI, or edit outputs.conf to specify where the forwarders should send data.
  7. On each forwarder, restart Splunk Enterprise to commit the configuration changes and start forwarding.
  8. On the receivers, search for data to confirm that forwarding occurs as you expect. For example:

host=<forwarder host name>

Set up the universal forwarder

The universal forwarder is a separate product with a separate installation package and documentation. See the Universal Forwarder manual for details about the universal forwarder software.

  1. Designate hosts that will act as forwarders and receivers.
  2. Install Splunk Enterprise on the receiver hosts.
  3. On each receiver, use Splunk Web or the CLI to enable receiving.
  4. Download the universal forwarder software for the operating system that the forwarder hosts run. For example, if the forwarder hosts run Windows, download the Windows universal forwarder.
  5. Install the universal forwarder software on the forwarder hosts. If the hosts run Windows, you can configure parts of the universal forwarder during the installation.
  6. After you install the universal forwarder, configure it to send data to a Splunk Enterprise, Splunk Light, or Splunk Cloud indexer.
  7. Configure the data inputs that you want to forward.
  8. Start the universal forwarder.
  9. On the receivers, search for data to confirm that forwarding occurs as you expect. For example:

host=<forwarder host name>

Find additional information about the universal forwarder in the Universal Forwarder manual

The Universal Forwarder manual has detailed information on how to install, configure, and troubleshoot problems with the universal forwarder software. For detailed instructions on how to install the forwarder, see Install the universal forwarder software in the Universal Forwarder manual.

Last modified on 04 April, 2022
Compatibility between forwarders and indexers   Heavy and light forwarder capabilities

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters