Splunk® Enterprise

Forwarding Data

Download manual as PDF

Download topic as PDF

Enable a receiver

A Splunk instance receives data from a forwarder when you enable receiving on it.

To enable forwarding and receiving, you configure both a receiver and a forwarder. The receiver is the Splunk instance that receives the data; the forwarder sends the data to the receiver.

In many cases, the receiver is a Splunk indexer or cluster of indexers. It can also be another forwarder, called an intermediate forwarder. To learn more about how intermediate forwarders work, see Intermediate forwarding.)

A forwarder can send data to multiple receivers. Conversely, a receiving indexer can accept data from multiple forwarders. How you set up forwarders and receivers depends on where your data is and where you need it to go.

A Splunk best practice is to set up receivers first, then set up forwarders to send data to those receivers.

Set up receiving

Before you enable a Splunk instance (either an indexer or a forwarder) as a receiver, you must install it. You can then enable receiving on the instance with Splunk Web, the CLI, or the inputs.conf configuration file.

Set up receiving with Splunk Web

Use Splunk Web to set up a receiver:

  1. Log into the receiver as admin or an administrative equivalent.
  2. Click Settings > Forwarding and receiving.
  3. At Configure receiving, click Add new.
  4. Specify the TCP port you want the receiver to listen on (the listening port, also known as the receiving port). For example, if you enter "9997," the receiver listens for connections from forwarders on port 9997. You can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.
  5. Click Save. Splunk software starts listening for incoming data on the port you specified.

Set up receiving with Splunk CLI

  1. From a shell or command prompt, change to the $SPLUNK_HOME/bin directory:
    cd $SPLUNK_HOME/bin
  2. Run the CLI command to enable receiving:
    splunk enable listen <port> -auth <username>:<password>

For <port>, substitute the port you want the receiver to listen on (the receiving port). For example, if you enter "9997," the receiver will receive data on port 9997. You can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.

The splunk enable listen command creates a [splunktcp] stanza in inputs.conf. For example, if you set the port to "9997", it creates the stanza [splunktcp://9997].

Set up receiving with configuration files

You can enable receiving on your Splunk Enterprise instance by configuring inputs.conf in $SPLUNK_HOME/etc/system/local. You might need to create this file if it does not exist.

  1. With a text editor, open inputs.conf in $SPLUNK_HOME/etc/system/local.
  2. Add a [splunktcp] stanza that specifies the receiving port. In this example, the receiving port is 9997:
    disabled = 0
  3. Restart Splunk software for the changes to take effect.

The forms [splunktcp://9997] and [splunktcp://:9997] (one colon or two) are semantically equivalent. Use either one.

Heavy and light forwarder capabilities
Deploy a heavy forwarder

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2


Hi Arpitjain1706,

Technically, yes. Splunk heavy and light forwarders can send data to any third party system.

The key is how that data gets transported to Kinesis. You would likely need to write a script or build a program that acts as a Kinesis producer using the Amazon Kinesis producer libraries or the associated API. The script would have to accept the data that you're collecting with your forwarder as input, then produce Kinesis-compatible records to inject into the Kinesis stream.

For further information, check out the following link: http://docs.aws.amazon.com/streams/latest/dev/building-producers.html

If you have any questions, feel free to post another comment.

Malmoore, Splunker
November 11, 2016

Does Splunk forwarder supports write data to Kinesis?

November 11, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters