Splunk® Enterprise

Forwarding Data

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Configure an intermediate forwarder

This topic provides instructions on how to set up an intermediate forwarder tier.

Intermediate forwarding is where a forwarder receives data from one or more forwarders and then sends that data on to another indexer. This kind of setup is useful when, for example, you have many hosts in different geographical regions and you want to send data from those forwarders to a central host in that region before forwarding the data to an indexer. All forwarder types can act as an intermediate forwarder.

To set up intermediate forwarding on a universal forwarder, see Configure an intermediate forwarder in the Universal Forwarder manual.

Set up intermediate forwarding with Splunk Web

1. In Splunk Web, log into the Splunk instance that you want to configure as an intermediate forwarder.

2. In the system bar, choose Settings > Forwarding and receiving.

3. Under "Receive data", click Add new. The "Receive data > Add New" page loads.

4. In the Listen on this port field, enter the port number that the instance should listen on for incoming forwarder connections.

5. Click Save. The forwarder starts listening on the specified port and Splunk Web displays the "Receive data" page.

6. Under "Receive data", click Forwarding and receiving. Splunk Web displays the "Forwarding and receiving" page again.

7. Under "Forward data", on the "Configure forwarding" line, click Add New. The "Forward data > Add New" page loads.

8. In the "Host" field, enter the host name or IP address and port of the indexer that should receive the forwarded data.

Note: Do not use the port you specified earlier for this instance unless you configured the same port number on the receiver.

9. Click Save. Splunk Web saves the configuration and the forwarder attempts to connect to the specified host and port.

10. Restart the forwarder. From the system bar, click Settings > Server controls.

11. Click Restart Splunk.

Repeat these instructions on additional hosts to set up a tier of intermediate forwarders.

Set up intermediate forwarding with configuration files

1. Open a command or shell prompt on the host you want to act as an intermediate forwarder.

2. Edit inputs.conf to configure the forwarder to receive data, as described in Configure data collection on forwarders with inputs.conf.

3. Configure the forwarder to send data to the receiving indexer, as described in "Configure forwarders with outputs.conf."

4. (Optional) Edit inputs.conf on the intermediate forwarder to configure any local data inputs.

5. Restart the forwarder.

Repeat these steps to add more forwarders to the tier.

Configure forwarders to use the intermediate forwarding tier

To set up additional forwarders to send their data to the intermediate forwarding tier:

1. If you have not already, install a universal forwarder.

2. Configure the forwarder to send data to the intermediate forwarder.

3. (Optional) Configure local data inputs on the forwarder.

4. Restart the forwarder.

Test the configuration

To confirm that the intermediate tier works properly:

1. Using Splunk Web, log into the receiving indexer.

2. Open the Search and Reporting app.

3. Run a search that contains a reference to one of the hosts that you configured to send data to the intermediate forwarder. For example:

host=<name or ip address of forwarder> index=_internal

If you do not see events, then the host has not been configured properly. See Troubleshoot forwarder/receiver connection for possible solutions.

Last modified on 30 March, 2022
Configure a forwarder to use a SOCKS proxy   Protect against loss of in-flight data

This documentation applies to the following versions of Splunk® Enterprise: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters