Splunk® Enterprise

Forwarding Data

Download manual as PDF

Download topic as PDF

Enable forwarding on a Splunk Enterprise instance

You can set up heavy and light forwarders on full Splunk Enterprise instances. To learn how to configure a universal forwarder to send data, see "Find additional information about the universal forwarder in the Universal Forwarder manual" later in this topic. The process is different on a universal forwarder.

Set up forwarding and receiving: heavy or light forwarders

For instructions on how to enable receiving on a Splunk Enterprise instance, see Enable a receiver. If you do not see data on the indexers after you enable forwarding and receiving, see Troubleshoot forwarder/receiver connection.

  1. Designate hosts that will act as forwarders and receivers.
  2. Install Splunk Enterprise on all of these hosts.
  3. On each receiver, use Splunk Web or the CLI to enable receiving.
  4. On each forwarder, use Splunk Web or the CLI to enable forwarding. See Deploy a heavy forwarder or Deploy a light forwarder.
  5. On each forwarder, use Splunk Web or the CLI, or edit inputs.conf to specify data inputs.
  6. On each forwarder, use Splunk Web or the CLI, or edit outputs.conf to specify where the forwarders should send data.
  7. On each forwarder, restart Splunk Enterprise to commit the configuration changes and start forwarding.
  8. On the receivers, search for data to confirm that forwarding occurs as you expect. For example:

host=<forwarder host name>

Set up the universal forwarder

The universal forwarder is a separate product with a separate installation package and documentation. See the Universal Forwarder manual for details about the universal forwarder software.

  1. Designate hosts that will act as forwarders and receivers.
  2. Install Splunk Enterprise on the receiver hosts.
  3. On each receiver, use Splunk Web or the CLI to enable receiving.
  4. Download the universal forwarder software for the operating system that the forwarder hosts run. For example, if the forwarder hosts run Windows, download the Windows universal forwarder.
  5. Install the universal forwarder software on the forwarder hosts. If the hosts run Windows, you can configure parts of the universal forwarder during the installation.
  6. After you install the universal forwarder, configure it to send data to a Splunk Enterprise, Splunk Light, or Splunk Cloud indexer.
  7. Configure the data inputs that you want to forward.
  8. Start the universal forwarder.
  9. On the receivers, search for data to confirm that forwarding occurs as you expect. For example:

host=<forwarder host name>

Find additional information about the universal forwarder in the Universal Forwarder manual

The Universal Forwarder manual has detailed information on how to install, configure, and troubleshoot problems with the universal forwarder software. For detailed instructions on how to install the forwarder, see Install the universal forwarder software in the Universal Forwarder manual. For more information on how to use the universal forwarder to send data, see one of the following topics in the Universal Forwarder manual:

PREVIOUS
Compatibility between forwarders and indexers
  NEXT
Heavy and light forwarder capabilities

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1, 7.3.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters