Splunk® Enterprise

Forwarding Data

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Heavy and light forwarder capabilities

This topic describes the capabilities that come with heavy and light forwarders as well as what capabilities are disabled by default.

Heavy forwarder details

The heavy forwarder has all Splunk Enterprise functions and modules enabled by default, with the exception of the distributed search module. The file $SPLUNK_HOME/etc/apps/SplunkForwarder/default/default-mode.conf includes this stanza:

[pipeline:distributedSearch]
disabled = true

For a detailed view of the exact configuration, see the configuration files for the SplunkForwarder application in $SPLUNK_HOME/etc/apps/SplunkForwarder/default.

Light forwarder details

The deprecated light forwarder disables most features of Splunk Enterprise. Specifically, the light forwarder:

  • Disables event signing and checking whether the disk is full ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf).
  • Limits internal data inputs to splunkd and metrics logs only ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/inputs.conf).
  • Disables all indexing ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/indexes.conf).
  • Does not use transforms.conf and does not fully parse incoming data, but the CHARSET, CHECK_FOR_HEADER, NO_BINARY_CHECK, PREFIX_SOURCETYPE, and sourcetype properties from props.conf are used.
  • Disables the Splunk Web interface ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/web.conf ).
  • Limits throughput to 256KBps ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/limits.conf).
  • Disables the following modules in $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf:
      [pipeline:indexerPipe]
      disabled_processors= indexandforward, diskusage, signing,tcp-output-generic-processor, syslog-output-generic-processor, http-output-generic-processor, stream-output-processor

      [pipeline:distributedDeployment]
      disabled = true

      [pipeline:distributedSearch]
      disabled = true

      [pipeline:fifo]
      disabled = true

      [pipeline:merging]
      disabled = true

      [pipeline:typing]
      disabled = true

      [pipeline:udp]
      disabled = true

      [pipeline:tcp]
      disabled = true

      [pipeline:syslogfifo]
      disabled = true

      [pipeline:syslogudp]
      disabled = true

      [pipeline:parsing]
      disabled_processors=utf8, linebreaker, header, sendOut

      [pipeline:scheduler]
      disabled_processors = LiveSplunks 

These modules include the deployment server (but not the deployment client), distributed search, named pipes/FIFOs, direct input from network ports, and the scheduler.

The defaults for the light forwarder can be tuned to meet your needs by overriding the settings in $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf on a case-by-case basis.

Purge old indexes

When you convert an indexer instance to a light forwarder, among other things, you disable indexing. In addition, you lose access to any data that was previously indexed on that instance. However, the data still exists.

If you want to purge that data from your system, you must first disable the SplunkLightForwarder app, then run the CLI clean command, and then renable the app. For information on the clean command, see Remove indexed data from Splunk in the Managing Indexers and Clusters of Indexers manual.

Considerations for forwarding structured data

When you forward structured data (data with source types that use the INDEXED_EXTRACTIONS feature) you must perform any parsing, extraction, or filtering changes on the forwarder, not the indexer. See Forward data extracted from header files in the Getting Data In manual.

Last modified on 26 September, 2016
Enable forwarding on a Splunk Enterprise instance   Enable a receiver

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters