Enable a receiver
A Splunk instance receives data from a forwarder when you enable receiving on it.
In many cases, the receiver is a Splunk indexer or cluster of indexers. It can also be another forwarder, called an intermediate forwarder. To learn more about how intermediate forwarders work, see Intermediate forwarding.)
A forwarder can send data to multiple receivers. Conversely, a receiving indexer can accept data from multiple forwarders. How you set up forwarders and receivers depends on where your data is and where you need it to go.
A Splunk best practice is to set up receivers first, then set up forwarders to send data to those receivers.
Set up receiving
Before you enable a Splunk instance (either an indexer or a forwarder) as a receiver, you must install it. You can then enable receiving on the instance with Splunk Web, the CLI, or the inputs.conf configuration file.
Set up receiving with Splunk Web
Use Splunk Web to set up a receiver:
- Log into the receiver as admin or an administrative equivalent.
- Click Settings > Forwarding and receiving.
- At Configure receiving, click Add new.
- Specify the TCP port you want the receiver to listen on (the listening port, also known as the receiving port).
For example, if you enter "9997," the receiver listens for connections from forwarders on port 9997. You can specify any unused port. You can use a tool like
netstatto determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.
- Click Save. Splunk software starts listening for incoming data on the port you specified.
Set up receiving with Splunk CLI
- From a shell or command prompt, change to the
- Run the CLI command to enable receiving:
splunk enable listen <port> -auth <username>:<password>
<port>, substitute the port you want the receiver to listen on (the receiving port). For example, if you enter "9997," the receiver will receive data on port 9997. You can specify any unused port. You can use a tool like
netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.
splunk enable listen command creates a
[splunktcp] stanza in
inputs.conf. For example, if you set the port to "9997", it creates the stanza
Set up receiving with configuration files
You can enable receiving on your Splunk Enterprise instance by configuring
$SPLUNK_HOME/etc/system/local. You might need to create this file if it does not exist.
- With a text editor, open
- Add a
[splunktcp]stanza that specifies the receiving port. In this example, the receiving port is 9997:
[splunktcp://9997] disabled = 0
- Restart Splunk software for the changes to take effect.
[splunktcp://:9997] (one colon or two) are semantically equivalent. Use either one.
Heavy and light forwarder capabilities
Deploy a heavy forwarder
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2