Splunk® Enterprise

Add McAfee data: Single instance

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Install a heavy fowarder

To install a heavy forwarder using Linux and connect it to your Splunk platform deployment, perform the following steps:

  1. Download and install a full Splunk Enterprise instance.
  2. Enable your Splunk Enterprise instance as a heavy forwarder.

Install and configure a heavy forwarder for Linux

Download the Linux version of Splunk Enterprise.

When you install Splunk Enterprise, note the following:

  • Some non-GNU versions of tar might not have the -C argument available. In this case, to install in /opt/splunk, you can change directories to /opt or place the tar file in /opt before you run the tar command. This method works for any accessible directory on your host file system.
  • Splunk Enterprise does not create the splunk user. To make Splunk Enterprise run as a specific user, you create the user manually before you install.
  • Confirm that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

To install Splunk Enterprise, follow these steps:

  1. Untar the Splunk Enterprise file into an appropriate directory: 
    tar xvzf splunk_package_name.tgz

    The default installation directory is splunk in the current working directory. To install into /opt/splunk, use the following command: 

    tar xvzf splunk_package_name.tgz -C /opt
  2. Navigate to the directory where you installed Splunk, and start the Splunk software. 
    ./splunk start


  3. A command line window prompts you to create an administrator password. Type the password when prompted. You need this password for your initial Splunk Enterprise login. 
    This appears to be your first time running this version of Splunk.

An Admin password must be set before installation proceeds.

If you used the --no prompt argument in the command line to start Splunk Enterprise, you are not prompted to create the administrator credentials needed to log into Splunk Enterprise for the first time.

Enable your Splunk Enterprise instance as a heavy forwarder

You can use Splunk Web or the CLI to enable forwarding for a Splunk instance.

Set up heavy forwarding with Splunk Web

Per the previous steps, you should already be logged into Splunk Web as admin on the instance that will be forwarding data.

  1. If necessary, log into Splunk Web as admin on the instance that will be forwarding data.
  2. Click Settings > Forwarding and receiving.
  3. At Configure forwarding, click Add new.
  4. Enter the hostname or IP address for the receiving Splunk instance(s), along with the receiving port specified when the receiver was configured. For example, you might enter receivingserver.com:9997.
  5. Click Save.
  6. Restart Splunk Web.

Configure heavy forwarders to index and forward data

Use a heavy forwarder to receive, parse and forward the data to another indexer.

  1. Log into Splunk Web as admin on the instance that will be forwarding data.
  2. Click Settings > Forwarding and receiving.
  3. Select Forwarding defaults.
  4. Select Yes to store and maintain a local copy of the indexed data on the forwarder.

Set up heavy forwarding with the CLI

In the command line, enable forwarding on the Splunk Enterprise instance, then configure forwarding to a specified receiver.

  1. From a command or shell prompt, navigate to $SPLUNK_HOME/bin/.
  2. Type the following command to enable forwarding: 
    splunk enable app SplunkForwarder -auth <username>:<password>
  3. Restart Splunk Enterprise.

Start forwarding using the CLI

Send data to the receiving indexer that you specify.

  1. From a shell or command prompt, go to the $SPLUNK_HOME/bin directory.
  2. Specify the receiver with the splunk add forward-server command: 
    splunk add forward-server <host>:<port> -auth <username>:<password>
  3. Restart the forwarder.
Last modified on 27 August, 2019
Enable your Splunk Enterprise instance as a reciever   Install DB Connect on your heavy forwarder

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters