Splunk® Enterprise

Getting Data In

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Forward data

The "Forward data" page lets you select forwarders that have connected to the Splunk Enterprise instance to configure and send data to the instance. Splunk Web loads this page when you click the Forward button on the Add data page.

This page is available in the following cases:

  • You have a single instance of Splunk Enterprise that acts as an indexer and deployment server.
  • You have a self-service Splunk Cloud deployment and have configured the universal forwarder as a deployment client.

If you have multiple machines in your Splunk deployment that perform indexing, then this page is not useful. See About deployment server and forwarder management in Updating Splunk Enterprise Instances to learn about the deployment server and how to use it to manage forwarder configurations to send to multiple indexers.

If you have a managed Splunk Cloud deployment, then this page is not available. Instead, you can install a deployment server on-premises to synchronize forwarder configurations so that you do not have to configure forwarders manually.

To determine what type of Splunk Cloud Platform deployment you have, follow the procedures in Splunk Cloud Platform deployment types.

Prerequisites

To use the Forward Data page to configure data inputs, you must configure at least one forwarder as a deployment client. If you have not configured a forwarder as a deployment client, the page notifies you that no deployment clients have been found.

To configure a universal forwarder, see Deploy the universal forwarder in the Universal Forwarder manual. On Windows hosts, you can configure the forwarder as a deployment client during installation.

The Select Forwarders page

When you select "Forward Data" from the "Add Data" page, the following page appears.

71 SelectSource Forward.png

You can define server classes and add forwarders to those classes. Server classes are logical groupings of hosts based on things such as architecture or host name.

This page only displays forwarders that you configured to forward data and act as deployment clients to this instance. If you have not configured any forwarders, the page warns you of this.

  1. In Select Server Class, click one of the options.
    • New to create a new server class, or if an existing server class does not match the group of forwarders that you want to configure an input for.
    • Existing to use an existing server class.
  2. In the Available host(s) pane, choose the forwarders that you want this instance to receive data from. The forwarders move from the Available host(s) pane to the Selected host(s) pane.
    Note: A server class must contain hosts of a certain platform. You cannot, for example, put Windows and *nix hosts in the same server class.
  3. (Optional) You can add all of the hosts by clicking the add all link, or remove all hosts by selecting the remove all link.
  4. If you chose New in "Select server class", enter a unique name for the server class that you will remember. Otherwise, select the server class you want from the drop-down list.
  5. Click Next. The "Select Source" page shows source types that are valid for the forwarders that you selected.
  6. Select the data sources that you want the forwarders to send data to this instance.
  7. Click Next to proceed to the Set Sourcetype page.

Next step

Modify input settings

Last modified on 04 April, 2022
Monitor data   Assign the correct source types to your data

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters