Splunk® Enterprise

Add McAfee data: Splunk Cloud

Download manual as PDF

Download topic as PDF

Install a heavy forwarder

To install a heavy forwarder using Linux and connect it to your Splunk platform deployment, perform the following steps:

  1. Download and install a full Splunk Enterprise instance.
  2. Enable your Splunk Enterprise instance as a heavy forwarder.

Install and configure a heavy forwarder for Linux

Download the Linux version of Splunk Enterprise.

When you install Splunk Enterprise, note the following:

  • Some non-GNU versions of tar might not have the -C argument available. In this case, to install in /opt/splunk, you can change directories to /opt or place the tar file in /opt before you run the tar command. This method works for any accessible directory on your host file system.
  • Splunk Enterprise does not create the splunk user. To make Splunk Enterprise run as a specific user, you create the user manually before you install.
  • Confirm that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

To install Splunk Enterprise, follow these steps:

  1. Untar the Splunk Enterprise file into an appropriate directory:
    tar xvzf splunk_package_name.tgz
    

    The default installation directory is splunk in the current working directory. To install into /opt/splunk, use the following command:

    tar xvzf splunk_package_name.tgz -C /opt
    
  2. Navigate to the directory where you installed Splunk, and start the Splunk software.
    ./splunk start
    

  3. A command line window prompts you to create an administrator password. Type the password when prompted. You need this password for your initial Splunk Enterprise login.
    This appears to be your first time running this version of Splunk.
    
    An Admin password must be set before installation proceeds.
    

If you used the --no prompt argument in the command line to start Splunk Enterprise, you are not prompted to create the administrator credentials needed to log into Splunk Enterprise for the first time.

Enable your Splunk Enterprise instance as a heavy forwarder

You can use Splunk Web or the CLI to enable forwarding for a Splunk instance.

Set up heavy forwarding with Splunk Web

Per the previous steps, you should already be logged into Splunk Web as admin on the instance that will be forwarding data.

  1. If necessary, log into Splunk Web as admin on the instance that will be forwarding data.
  2. Click Settings > Forwarding and receiving.
  3. At Configure forwarding, click Add new.
  4. Enter the hostname or IP address for the receiving Splunk instance(s), along with the receiving port specified when the receiver was configured. For example, you might enter receivingserver.com:9997.
  5. Click Save.
  6. Restart Splunk Web.

Configure heavy forwarders to index and forward data

Use a heavy forwarder to receive, parse and forward the data to another indexer.

  1. Log into Splunk Web as admin on the instance that will be forwarding data.
  2. Click Settings > Forwarding and receiving.
  3. Select Forwarding defaults.
  4. Select Yes to store and maintain a local copy of the indexed data on the forwarder.

Set up heavy forwarding with the CLI

In the command line, enable forwarding on the Splunk Enterprise instance, then configure forwarding to a specified receiver.

  1. From a command or shell prompt, navigate to $SPLUNK_HOME/bin/.
  2. Type the following command to enable forwarding:
    splunk enable app SplunkForwarder -auth <username>:<password>
    
  3. Restart Splunk Enterprise.

Start forwarding using the CLI

Send data to the receiving indexer that you specify.

  1. From a shell or command prompt, go to the $SPLUNK_HOME/bin directory.
  2. Specify the receiver with the splunk add forward-server command:
    splunk add forward-server <host>:<port> -auth <username>:<password>
    
  3. Restart the forwarder.
PREVIOUS
Configure forwarding and receiving for Splunk Cloud
  NEXT
Install DB Connect on your heavy forwarder

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1, 7.3.2, 8.0.0


Comments

Hello Dwartaarcos,
Thanks for the information. I have added a "splunk start" step to the instructions.

Mglauser splunk, Splunker
August 27, 2019

The files are no longer in tar format, so you'll have to adjust accordingly, such as installing the .rpm on Linux.
The step to start Splunk or enable Splunk to start at boot seems to be missing between step 1 & 2 of the installation instructions; for example, we entered '.../bin/splunk enable boot-start -user splunk' to get to the prompt mentioned in step 2. Also, the '--no prompt' argument mentioned below step 2 refers to this missing step.
The step to enable the Heavy Forwarder to listen on port 9997 is missing; for example, '.../bin/splunk enable listen 9997 -auth <username>:<password>'

Dwartaarcos
August 27, 2019

Please update the command to install Splunk Enterprise as it is incorrect.

Bbouyaala splunk, Splunker
June 21, 2019

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters