Enable a receiver
A receiver is a Splunk software instance that is configured to listen on a specific port for incoming communications from a forwarder.
In a typical Splunk Enterprise deployment, the receiver is an indexer or a cluster of indexers. Sometimes the receiver is another forwarder; this is known as an intermediate forwarder. To learn more about how intermediate forwarders work, see Intermediate forwarding. As a best practice, configure your the receivers before configuring the forwarders to send data.
A Splunk Cloud Platform instance receiving port is configured and enabled by default. It is not possible to configure receiving on a Splunk Cloud Platform instance using Splunk Web, editing a .conf file, or using the command line (CLI.)
Configuring the receiver settings directly on Splunk software instances is only recommended for a single instance deployment. To manage Splunk Enterprise configurations in a distributed environment, see About deployment server and forwarder management in the Updating Splunk Enterprise Instances manual.
Configure a receiver using Splunk Web
Use Splunk Web to configure a receiver:
- Log into Splunk Web as a user with the admin role.
- In Splunk Web, go to Settings > Forwarding and receiving.
- Select "Configure receiving."
- Verify if there are existing receiver ports open. You cannot create a duplicate receiver port. The conventional receiver port configured on indexers is port
9997
. - Select "New Receiving Port."
- Add a port number and save.
Splunk Web is only available with Splunk Enterprise, not the universal forwarder.
Configure a receiver using the command line
Use the command line interface (CLI) to configure a receiver:
- Open a shell prompt
- Change the path to $SPLUNK_HOME/bin
- Type:
splunk enable listen <port> -auth <username>:<password>
. - Restart Splunk software for the changes to take effect.
*nix example | Windows example |
---|---|
./splunk enable listen 9997 -auth admin:password |
splunk enable listen 9997 -auth admin:password |
Configure a receiver using a configuration file
Configure a receiver using the inputs.conf
file:
- Open a shell prompt
- Change the path to
$SPLUNK_HOME/etc/system/local
. - Edit the
inputs.conf
file. - Create a
[splunktcp]
stanza and define the receiving port. Example:[splunktcp://9997] disabled = 0
- Save the file.
- Restart Splunk software for the changes to take effect.
The forms [splunktcp://9997]
and [splunktcp://:9997]
(one colon or two) are semantically equivalent. You can use either one.
Heavy and light forwarder capabilities | Deploy a heavy forwarder |
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!